Patchwork [Hardy,CVE-2010-4078,1/1] drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory, CVE-2010-4078

login
register
mail settings
Submitter Brad Figg
Date Jan. 25, 2011, 8:42 p.m.
Message ID <1295988134-18733-1-git-send-email-brad.figg@canonical.com>
Download mbox | patch
Permalink /patch/80405/
State Accepted
Delegated to: Stefan Bader
Headers show

Comments

Brad Figg - Jan. 25, 2011, 8:42 p.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

CVE-2010-4078

BugLink: http://bugs.launchpad.net/bugs/707579

Released by: 2.6.35.y stable upstream
             2.6.32.y stable upstream

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
of uninitialized stack memory, because the "reserved" member of the
fb_vblank struct declared on the stack is not altered or zeroed before
being copied back to the user.  This patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Thomas Winischhofer <thomas@winischhofer.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry-picked from commit fd02db9de73faebc51240619c7c7f99bee9f65c7)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 drivers/video/sis/sis_main.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)
Tim Gardner - Jan. 25, 2011, 9:18 p.m.
On 01/25/2011 01:42 PM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg@vsecurity.com>
>
> CVE-2010-4078
>
> BugLink: http://bugs.launchpad.net/bugs/707579
>
> Released by: 2.6.35.y stable upstream
>               2.6.32.y stable upstream
>
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
> of uninitialized stack memory, because the "reserved" member of the
> fb_vblank struct declared on the stack is not altered or zeroed before
> being copied back to the user.  This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>
> Cc: Thomas Winischhofer<thomas@winischhofer.net>
> Cc:<stable@kernel.org>
> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> (cherry-picked from commit fd02db9de73faebc51240619c7c7f99bee9f65c7)
> Signed-off-by: Brad Figg<brad.figg@canonical.com>
> ---
>   drivers/video/sis/sis_main.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/video/sis/sis_main.c b/drivers/video/sis/sis_main.c
> index 559bf17..b52f8e4 100644
> --- a/drivers/video/sis/sis_main.c
> +++ b/drivers/video/sis/sis_main.c
> @@ -1701,6 +1701,9 @@ static int	sisfb_ioctl(struct fb_info *info, unsigned int cmd,
>   		break;
>
>   	   case FBIOGET_VBLANK:
> +
> +		memset(&sisvbblank, 0, sizeof(struct fb_vblank));
> +
>   		sisvbblank.count = 0;
>   		sisvbblank.flags = sisfb_setupvbblankflags(ivideo,&sisvbblank.vcount,&sisvbblank.hcount);
>

Acked-by: Tim Gardner <tim.gardner@canonical.com>
Stefan Bader - Jan. 26, 2011, 10:01 a.m.
On 01/25/2011 09:42 PM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> CVE-2010-4078
> 
> BugLink: http://bugs.launchpad.net/bugs/707579
> 
> Released by: 2.6.35.y stable upstream
>              2.6.32.y stable upstream
> 
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
> of uninitialized stack memory, because the "reserved" member of the
> fb_vblank struct declared on the stack is not altered or zeroed before
> being copied back to the user.  This patch takes care of it.
> 
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> Cc: Thomas Winischhofer <thomas@winischhofer.net>
> Cc: <stable@kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (cherry-picked from commit fd02db9de73faebc51240619c7c7f99bee9f65c7)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/video/sis/sis_main.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/video/sis/sis_main.c b/drivers/video/sis/sis_main.c
> index 559bf17..b52f8e4 100644
> --- a/drivers/video/sis/sis_main.c
> +++ b/drivers/video/sis/sis_main.c
> @@ -1701,6 +1701,9 @@ static int	sisfb_ioctl(struct fb_info *info, unsigned int cmd,
>  		break;
> 
>  	   case FBIOGET_VBLANK:
> +
> +		memset(&sisvbblank, 0, sizeof(struct fb_vblank));
> +
>  		sisvbblank.count = 0;
>  		sisvbblank.flags = sisfb_setupvbblankflags(ivideo, &sisvbblank.vcount, &sisvbblank.hcount);
>
Tim Gardner - Jan. 26, 2011, 1:41 p.m.
On 01/25/2011 01:42 PM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg@vsecurity.com>
>
> CVE-2010-4078
>
> BugLink: http://bugs.launchpad.net/bugs/707579
>
> Released by: 2.6.35.y stable upstream
>               2.6.32.y stable upstream
>
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes
> of uninitialized stack memory, because the "reserved" member of the
> fb_vblank struct declared on the stack is not altered or zeroed before
> being copied back to the user.  This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>
> Cc: Thomas Winischhofer<thomas@winischhofer.net>
> Cc:<stable@kernel.org>
> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> (cherry-picked from commit fd02db9de73faebc51240619c7c7f99bee9f65c7)
> Signed-off-by: Brad Figg<brad.figg@canonical.com>
> ---
>   drivers/video/sis/sis_main.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/video/sis/sis_main.c b/drivers/video/sis/sis_main.c
> index 559bf17..b52f8e4 100644
> --- a/drivers/video/sis/sis_main.c
> +++ b/drivers/video/sis/sis_main.c
> @@ -1701,6 +1701,9 @@ static int	sisfb_ioctl(struct fb_info *info, unsigned int cmd,
>   		break;
>
>   	   case FBIOGET_VBLANK:
> +
> +		memset(&sisvbblank, 0, sizeof(struct fb_vblank));
> +
>   		sisvbblank.count = 0;
>   		sisvbblank.flags = sisfb_setupvbblankflags(ivideo,&sisvbblank.vcount,&sisvbblank.hcount);
>

applied and pushed

Patch

diff --git a/drivers/video/sis/sis_main.c b/drivers/video/sis/sis_main.c
index 559bf17..b52f8e4 100644
--- a/drivers/video/sis/sis_main.c
+++ b/drivers/video/sis/sis_main.c
@@ -1701,6 +1701,9 @@  static int	sisfb_ioctl(struct fb_info *info, unsigned int cmd,
 		break;

 	   case FBIOGET_VBLANK:
+
+		memset(&sisvbblank, 0, sizeof(struct fb_vblank));
+
 		sisvbblank.count = 0;
 		sisvbblank.flags = sisfb_setupvbblankflags(ivideo, &sisvbblank.vcount, &sisvbblank.hcount);