Re: [PATCH] Staging: comedi: fix information leak

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/03/15 20:08, Matteo Semenzato wrote:
From: Matteo Semenzato <mattew8898@xxxxxxxxx>

The comedi_cmd struct has an hole after chanlist_len that could contain uninitialized
memory, this struct is copied to userspace.

Signed-off-by: Matteo Semenato <mattew8898@xxxxxxxxx>
---
  drivers/staging/comedi/comedi_fops.c | 2 ++
  1 file changed, 2 insertions(+)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 727640e..1cdf0a2 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1718,6 +1718,8 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
  	unsigned int __user *user_chanlist;
  	int ret;

+	memset(&cmd, 0, sizeof(cmd));
+
  	/* get the user's cmd and do some simple validation */
  	ret = __comedi_get_user_cmd(dev, arg, &cmd);
  	if (ret)


I see no information leak there. The cmd variable gets copied over with user memory by the call to __comedi_get_user_cmd(), so zero-filling it first is rather pointless.

--
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti@xxxxxxxxx> )=-
-=(                          Web: http://www.mev.co.uk/  )=-
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel




[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux