On Monday 20 July 2009 09:38:14 Borislav Petkov wrote:
> On Sun, Jul 19, 2009 at 09:15:19PM +0200, Michael Buesch wrote:
> > Don't leak kernel stack information through uninitialized structure members.
> >
> > Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
> > Cc: stable@xxxxxxxxxx
> >
> > ---
> >
> > This patch is only compile tested.
> >
> > ---
> > drivers/ide/ide-tape.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > --- linux-2.6.orig/drivers/ide/ide-tape.c
> > +++ linux-2.6/drivers/ide/ide-tape.c
> > @@ -1057,20 +1057,21 @@ static int idetape_blkdev_ioctl(ide_driv
> >
> > debug_log(DBG_PROCS, "Enter %s\n", __func__);
> >
> > switch (cmd) {
> > case 0x0340:
> > if (copy_from_user(&config, argp, sizeof(config)))
> > return -EFAULT;
> > tape->best_dsc_rw_freq = config.dsc_rw_frequency;
> > break;
> > case 0x0350:
> > + memset(&config, 0, sizeof(config));
>
> Well, I can't find config.dsc_media_access_frequency as being used
> anywhere since the git years of the kernel. I found¹ some archaic
> kernels from 1995 (1.3 series) which used to have IDETAPE_RESET_IOCTL
> defined as 0x0350 but can't seem to find any userspace use of that
> ioctl.
>
> If there's none, you might just as well remove
> config.dsc_media_access_frequency as an alternative solution.
>
> @Bart: Any historic info I'm missing here?
>
>
> ¹http://www.google.com/search?q=IDETAPE_RESET_IOCTL
>
Well, I don't feel so good changing the ABI of ancient drivers. So
I think it's best to just fix the bug (zero out the struct) instead of removing
the whole call. Who knows. Maybe some proprietary program in the depths of some
corporation's servers uses this ioctl...
So let's just zero out the structure properly to avoid the possibility of leaking
kernel stack information.
--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-ide" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
