From patchwork Fri Oct 7 15:33:38 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 118338 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 6B447B70DC for ; Sat, 8 Oct 2011 02:34:13 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RCCR2-0002kE-GE; Fri, 07 Oct 2011 15:34:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RCCQv-0002gl-3f for kernel-team@lists.ubuntu.com; Fri, 07 Oct 2011 15:33:57 +0000 Received: from 212-139-214-120.dynamic.dsl.as9105.com ([212.139.214.120] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1RCCQu-0001tw-5o; Fri, 07 Oct 2011 15:33:57 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] staging: comedi: fix infoleak to userspace Date: Fri, 7 Oct 2011 16:33:38 +0100 Message-Id: <1318001618-24037-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1318001618-24037-1-git-send-email-apw@canonical.com> References: <1318001618-24037-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Vasiliy Kulikov driver_name and board_name are pointers to strings, not buffers of size COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. Signed-off-by: Vasiliy Kulikov Cc: stable Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 819cbb120eaec7e014e5abd029260db1ca8c5735) CVE-2011-2909 BugLink: http://bugs.launchpad.net/bugs/869261 Signed-off-by: Andy Whitcroft Acked-by: Seth Forshee --- drivers/staging/comedi/comedi_fops.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 9d7c993..16d98ce 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -359,8 +359,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, struct comedi_devinfo *ar /* fill devinfo structure */ devinfo.version_code = COMEDI_VERSION_CODE; devinfo.n_subdevs = dev->n_subdevices; - memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); - memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); + strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); + strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); if (read_subdev) devinfo.read_subdevice = read_subdev - dev->subdevices;