Message ID | 1296007965-31306-1-git-send-email-brad.figg@canonical.com |
---|---|
State | Accepted |
Delegated to: | Stefan Bader |
Headers | show |
On 01/25/2011 07:12 PM, Brad Figg wrote: > From: Dan Rosenberg<drosenberg@vsecurity.com> > > CVE-2010-4079 > > BugLink: http://bugs.launchpad.net/bugs/707649 > > Released by: 2.6.32.y stable upstream > > The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 > bytes of uninitialized stack memory, because the "reserved" member of > the fb_vblank struct declared on the stack is not altered or zeroed > before being copied back to the user. This patch takes care of it. > > Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com> > Signed-off-by: Andy Walls<awalls@md.metrocast.net> > Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com> > > (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9) > Signed-off-by: Brad Figg<brad.figg@canonical.com> > --- > drivers/media/video/ivtv/ivtvfb.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c > index 52ffd15..48fc638 100644 > --- a/drivers/media/video/ivtv/ivtvfb.c > +++ b/drivers/media/video/ivtv/ivtvfb.c > @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar > struct fb_vblank vblank; > u32 trace; > > + memset(&vblank, 0, sizeof(struct fb_vblank)); > + > vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT | > FB_VBLANK_HAVE_VSYNC; > trace = read_reg(0x028c0)>> 16; Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 01/26/2011 03:12 AM, Brad Figg wrote: > From: Dan Rosenberg <drosenberg@vsecurity.com> > > CVE-2010-4079 > > BugLink: http://bugs.launchpad.net/bugs/707649 > > Released by: 2.6.32.y stable upstream > > The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 > bytes of uninitialized stack memory, because the "reserved" member of > the fb_vblank struct declared on the stack is not altered or zeroed > before being copied back to the user. This patch takes care of it. > > Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> > Signed-off-by: Andy Walls <awalls@md.metrocast.net> > Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> > > (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9) > Signed-off-by: Brad Figg <brad.figg@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > drivers/media/video/ivtv/ivtvfb.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c > index 52ffd15..48fc638 100644 > --- a/drivers/media/video/ivtv/ivtvfb.c > +++ b/drivers/media/video/ivtv/ivtvfb.c > @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar > struct fb_vblank vblank; > u32 trace; > > + memset(&vblank, 0, sizeof(struct fb_vblank)); > + > vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT | > FB_VBLANK_HAVE_VSYNC; > trace = read_reg(0x028c0) >> 16;
On 01/25/2011 07:12 PM, Brad Figg wrote: > From: Dan Rosenberg<drosenberg@vsecurity.com> > > CVE-2010-4079 > > BugLink: http://bugs.launchpad.net/bugs/707649 > > Released by: 2.6.32.y stable upstream > > The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 > bytes of uninitialized stack memory, because the "reserved" member of > the fb_vblank struct declared on the stack is not altered or zeroed > before being copied back to the user. This patch takes care of it. > > Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com> > Signed-off-by: Andy Walls<awalls@md.metrocast.net> > Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com> > > (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9) > Signed-off-by: Brad Figg<brad.figg@canonical.com> > --- > drivers/media/video/ivtv/ivtvfb.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c > index 52ffd15..48fc638 100644 > --- a/drivers/media/video/ivtv/ivtvfb.c > +++ b/drivers/media/video/ivtv/ivtvfb.c > @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar > struct fb_vblank vblank; > u32 trace; > > + memset(&vblank, 0, sizeof(struct fb_vblank)); > + > vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT | > FB_VBLANK_HAVE_VSYNC; > trace = read_reg(0x028c0)>> 16; applied and pushed
diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c index 52ffd15..48fc638 100644 --- a/drivers/media/video/ivtv/ivtvfb.c +++ b/drivers/media/video/ivtv/ivtvfb.c @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar struct fb_vblank vblank; u32 trace; + memset(&vblank, 0, sizeof(struct fb_vblank)); + vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT | FB_VBLANK_HAVE_VSYNC; trace = read_reg(0x028c0) >> 16;