Re: [PATCH] Staging: bcm: Fix information leak in ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dan,

On Tue, Nov 1, 2011 at 7:59 AM, Kevin McKinney <klmckinney1@xxxxxxxxx> wrote:
> On Tue, Nov 1, 2011 at 2:18 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>> On Mon, Oct 31, 2011 at 09:18:16PM -0400, Kevin McKinney wrote:
>>> diff --git a/drivers/staging/bcm/InterfaceMisc.c b/drivers/staging/bcm/InterfaceMisc.c
>>> index 61f878b..f10ecd8 100644
>>> --- a/drivers/staging/bcm/InterfaceMisc.c
>>> +++ b/drivers/staging/bcm/InterfaceMisc.c
>>> @@ -48,15 +48,15 @@ INT InterfaceRDM(PS_INTERFACE_ADAPTER psIntfAdapter,
>>>
>>>       } while ((retval < 0) && (usRetries < MAX_RDM_WRM_RETIRES));
>>>
>>> -     if (retval < 0) {
>>> +     if (retval < 0) {
>>>               BCM_DEBUG_PRINT(psIntfAdapter->psAdapter, DBG_TYPE_OTHERS, RDM, DBG_LVL_ALL, "RDM failed status :%d, retires :%d", retval, usRetries);
>>>               psIntfAdapter->psAdapter->DeviceAccess = FALSE;
>>>               return retval;
>>> -     } else {
>>> -             BCM_DEBUG_PRINT(psIntfAdapter->psAdapter, DBG_TYPE_OTHERS, RDM, DBG_LVL_ALL, "RDM sent %d", retval);
>>> -             psIntfAdapter->psAdapter->DeviceAccess = FALSE;
>>> -             return STATUS_SUCCESS;
>>>       }
>>> +
>>> +     BCM_DEBUG_PRINT(psIntfAdapter->psAdapter, DBG_TYPE_OTHERS, RDM, DBG_LVL_ALL, "RDM sent %d", retval);
>>> +     psIntfAdapter->psAdapter->DeviceAccess = FALSE;
>>> +     return retval;
>>
>> This should be:
>>
>> return STATUS_SUCCESS;

I was under the impression that the underlying reason for this change
was to retrieve the number of bytes from the hardware; and copy these
bytes to user space. This in turn fixes the information leak. As such,
If we return STATUS_SUCCESS here, the original problem, information
leak, still remains. That is, a 0 is returned instead of the exact
number of bytes from the hardware to copy to
IOCTL_BCM_REGISTER_READ_PRIVATE.

As it stands now, this function calls usb_control_msg which returns
the exact number of bytes from the hardware. We then return this to be
used by ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.  Please advise.

Thanks,
Kevin
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux