Patchwork [3.5.yuz,extended,stable] Patch "fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Nov. 22, 2012, 4:50 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/201014/
State New
Headers show


Herton Ronaldo Krzesinski - Nov. 22, 2012, 4:50 a.m.
This is a note to let you know that I have just added a patch titled

    fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check

to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.yuz tree, see



From db659937235074b6575789a1f0cddae73a886d9d Mon Sep 17 00:00:00 2001
From: Kees Cook <>
Date: Thu, 25 Oct 2012 13:38:16 -0700
Subject: [PATCH] fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check

commit 12176503366885edd542389eed3aaf94be163fdb upstream.

The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
while converting ioctl arguments.  This could lead to leaking kernel
stack contents into userspace.

Patch extracted from existing fix in grsecurity.

Signed-off-by: Kees Cook <>
Cc: David Miller <>
Cc: Brad Spengler <>
Cc: PaX Team <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 fs/compat_ioctl.c |    2 ++
 1 file changed, 2 insertions(+)



diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index debdfe0..5d2069f 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -210,6 +210,8 @@  static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd,

 	err  = get_user(palp, &up->palette);
 	err |= get_user(length, &up->length);
+	if (err)
+		return -EFAULT;

 	up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
 	err  = put_user(compat_ptr(palp), &up_native->palette);