Patchwork [Hardy,CVE-2010-4079,1/1] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory, CVE-2010-4079

login
register
mail settings
Submitter Brad Figg
Date Jan. 26, 2011, 2:12 a.m.
Message ID <1296007965-31306-1-git-send-email-brad.figg@canonical.com>
Download mbox | patch
Permalink /patch/80440/
State Accepted
Delegated to: Stefan Bader
Headers show

Comments

Brad Figg - Jan. 26, 2011, 2:12 a.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

CVE-2010-4079

BugLink: http://bugs.launchpad.net/bugs/707649

Released by: 2.6.32.y stable upstream

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user.  This patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Andy Walls <awalls@md.metrocast.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

(cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 drivers/media/video/ivtv/ivtvfb.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)
Tim Gardner - Jan. 26, 2011, 4:31 a.m.
On 01/25/2011 07:12 PM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg@vsecurity.com>
>
> CVE-2010-4079
>
> BugLink: http://bugs.launchpad.net/bugs/707649
>
> Released by: 2.6.32.y stable upstream
>
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
> bytes of uninitialized stack memory, because the "reserved" member of
> the fb_vblank struct declared on the stack is not altered or zeroed
> before being copied back to the user.  This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>
> Signed-off-by: Andy Walls<awalls@md.metrocast.net>
> Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com>
>
> (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9)
> Signed-off-by: Brad Figg<brad.figg@canonical.com>
> ---
>   drivers/media/video/ivtv/ivtvfb.c |    2 ++
>   1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
> index 52ffd15..48fc638 100644
> --- a/drivers/media/video/ivtv/ivtvfb.c
> +++ b/drivers/media/video/ivtv/ivtvfb.c
> @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
>   			struct fb_vblank vblank;
>   			u32 trace;
>
> +			memset(&vblank, 0, sizeof(struct fb_vblank));
> +
>   			vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
>   					FB_VBLANK_HAVE_VSYNC;
>   			trace = read_reg(0x028c0)>>  16;

Acked-by: Tim Gardner <tim.gardner@canonical.com>
Stefan Bader - Jan. 26, 2011, 10:03 a.m.
On 01/26/2011 03:12 AM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> CVE-2010-4079
> 
> BugLink: http://bugs.launchpad.net/bugs/707649
> 
> Released by: 2.6.32.y stable upstream
> 
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
> bytes of uninitialized stack memory, because the "reserved" member of
> the fb_vblank struct declared on the stack is not altered or zeroed
> before being copied back to the user.  This patch takes care of it.
> 
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> Signed-off-by: Andy Walls <awalls@md.metrocast.net>
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
> 
> (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/media/video/ivtv/ivtvfb.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
> index 52ffd15..48fc638 100644
> --- a/drivers/media/video/ivtv/ivtvfb.c
> +++ b/drivers/media/video/ivtv/ivtvfb.c
> @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
>  			struct fb_vblank vblank;
>  			u32 trace;
>  
> +			memset(&vblank, 0, sizeof(struct fb_vblank));
> +
>  			vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
>  					FB_VBLANK_HAVE_VSYNC;
>  			trace = read_reg(0x028c0) >> 16;
Tim Gardner - Jan. 26, 2011, 1:45 p.m.
On 01/25/2011 07:12 PM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg@vsecurity.com>
>
> CVE-2010-4079
>
> BugLink: http://bugs.launchpad.net/bugs/707649
>
> Released by: 2.6.32.y stable upstream
>
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
> bytes of uninitialized stack memory, because the "reserved" member of
> the fb_vblank struct declared on the stack is not altered or zeroed
> before being copied back to the user.  This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>
> Signed-off-by: Andy Walls<awalls@md.metrocast.net>
> Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com>
>
> (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9)
> Signed-off-by: Brad Figg<brad.figg@canonical.com>
> ---
>   drivers/media/video/ivtv/ivtvfb.c |    2 ++
>   1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
> index 52ffd15..48fc638 100644
> --- a/drivers/media/video/ivtv/ivtvfb.c
> +++ b/drivers/media/video/ivtv/ivtvfb.c
> @@ -378,6 +378,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
>   			struct fb_vblank vblank;
>   			u32 trace;
>
> +			memset(&vblank, 0, sizeof(struct fb_vblank));
> +
>   			vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
>   					FB_VBLANK_HAVE_VSYNC;
>   			trace = read_reg(0x028c0)>>  16;

applied and pushed

Patch

diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
index 52ffd15..48fc638 100644
--- a/drivers/media/video/ivtv/ivtvfb.c
+++ b/drivers/media/video/ivtv/ivtvfb.c
@@ -378,6 +378,8 @@  static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
 			struct fb_vblank vblank;
 			u32 trace;
 
+			memset(&vblank, 0, sizeof(struct fb_vblank));
+
 			vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
 					FB_VBLANK_HAVE_VSYNC;
 			trace = read_reg(0x028c0) >> 16;