Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 25.07.2013 18:46, schrieb Dan Carpenter:
> p_ca_slot_info was allocated with kmalloc() so we need to clear it
> before passing it to the user.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> 
> diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
> index 0e788fc..6b9dc3f 100644
> --- a/drivers/media/pci/bt8xx/dst_ca.c
> +++ b/drivers/media/pci/bt8xx/dst_ca.c
> @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s
>  		p_ca_slot_info->flags = CA_CI_MODULE_READY;
>  		p_ca_slot_info->num = 1;
>  		p_ca_slot_info->type = CA_CI;
> -	} else
> +	} else {
>  		p_ca_slot_info->flags = 0;
> +		p_ca_slot_info->num = 0;
> +		p_ca_slot_info->type = 0;
> +	}
>  
>  	if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info)))
>  		return -EFAULT;

note: i have no clue how p_ca_slot_info looks like,
but to avoid information leaks via compiler padding etc. i could be more wise
to do a  memset(p_ca_slot_info,0,sizeof (struct ca_slot_info))
and then set the
	p_ca_slot_info->flags = CA_CI_MODULE_READY;
	p_ca_slot_info->num = 1;
	p_ca_slot_info->type = CA_CI;

just my 2 cents,
re,
 wh
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux