| Message ID | 1284586992.6275.93.camel@dan |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On Wed, Sep 15, 2010 at 05:43:12PM -0400, Dan Rosenberg wrote: > Fixed formatting (tabs and line breaks). > > The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read > 4 bytes of uninitialized stack memory, because the "addr" member of the > ch_reg struct declared on the stack in cxgb_extension_ioctl() is not > altered or zeroed before being copied back to the user. This patch > takes care of it. > > Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> > > --- linux-2.6.35.4.orig/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400 > +++ linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-09-14 21:24:34.369511115 -0400 > @@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n > case CHELSIO_GET_QSET_NUM:{ > struct ch_reg edata; > > + memset(&edata, 0, sizeof(struct ch_reg)); > + > edata.cmd = CHELSIO_GET_QSET_NUM; > edata.val = pi->nqsets; This is a pretty expensive way to fix it. either... + edata.addr = 0; or: - struct ch_reg edata; + struct ch_reg edata = { + .cmd = CHELSIO_GET_QSET_NUM, + .val = pi->nqsets + }; - edata.cmd = CHELSIO_GET_QSET_NUM; - edata.val = pi->nqsets; If you are worried that the struct ch_reg may grow someday. -- Steve > if (copy_to_user(useraddr, &edata, sizeof(edata))) > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Dan Rosenberg <drosenberg@vsecurity.com> Date: Wed, 15 Sep 2010 17:43:12 -0400 > Fixed formatting (tabs and line breaks). > > The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read > 4 bytes of uninitialized stack memory, because the "addr" member of the > ch_reg struct declared on the stack in cxgb_extension_ioctl() is not > altered or zeroed before being copied back to the user. This patch > takes care of it. > > Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- linux-2.6.35.4.orig/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.4/drivers/net/cxgb3/cxgb3_main.c 2010-09-14 21:24:34.369511115 -0400 @@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n case CHELSIO_GET_QSET_NUM:{ struct ch_reg edata; + memset(&edata, 0, sizeof(struct ch_reg)); + edata.cmd = CHELSIO_GET_QSET_NUM; edata.val = pi->nqsets; if (copy_to_user(useraddr, &edata, sizeof(edata)))
Fixed formatting (tabs and line breaks). The CHELSIO_GET_QSET_NUM device ioctl allows unprivileged users to read 4 bytes of uninitialized stack memory, because the "addr" member of the ch_reg struct declared on the stack in cxgb_extension_ioctl() is not altered or zeroed before being copied back to the user. This patch takes care of it. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html