From patchwork Fri Oct  7 15:33:38 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4,
 CVE, 1/1] staging: comedi: fix infoleak to userspace
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 118338
Message-Id: <1318001618-24037-2-git-send-email-apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Cc: Andy Whitcroft <apw@canonical.com>
Date: Fri,  7 Oct 2011 16:33:38 +0100
From: Andy Whitcroft <apw@canonical.com>
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>

From: Vasiliy Kulikov <segoon@openwall.com>

driver_name and board_name are pointers to strings, not buffers of size
COMEDI_NAMELEN.  Copying COMEDI_NAMELEN bytes of a string containing
less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

(cherry picked from commit 819cbb120eaec7e014e5abd029260db1ca8c5735)
CVE-2011-2909
BugLink: http://bugs.launchpad.net/bugs/869261
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
---
 drivers/staging/comedi/comedi_fops.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 9d7c993..16d98ce 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -359,8 +359,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, struct comedi_devinfo *ar
 	/* fill devinfo structure */
 	devinfo.version_code = COMEDI_VERSION_CODE;
 	devinfo.n_subdevs = dev->n_subdevices;
-	memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
-	memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
+	strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
+	strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
 
 	if (read_subdev)
 		devinfo.read_subdevice = read_subdev - dev->subdevices;