RE: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




-----Original Message-----
From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] 
Sent: Wednesday, September 11, 2013 2:39 AM
To: Miller, Mike (OS Dev); Andrew Morton
Cc: ISS StorageDev; linux-kernel@xxxxxxxxxxxxxxx; kernel-janitors@xxxxxxxxxxxxxxx; Moritz Muehlenhoff
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()

The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would cause an information leak as well.

This was assigned CVE-2013-2147.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Acked-by: Mike Miller <mike.miller@xxxxxx>

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
 	int err;
 	u32 cp;
 
+	memset(&arg64, 0, sizeof(arg64));
 	err = 0;
 	err |=
 	    copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux