Patchwork [Karmic,[CVE-2010-4082,1/1] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory, CVE-2010-4082

login
register
mail settings
Submitter Brad Figg
Date Feb. 4, 2011, 5:26 p.m.
Message ID <1296840400-28974-2-git-send-email-brad.figg@canonical.com>
Download mbox | patch
Permalink /patch/81926/
State Accepted
Commit ddfe77ea344dc56d401d4be3ceb4cdf22858591e
Headers show

Comments

Brad Figg - Feb. 4, 2011, 5:26 p.m.
From: Dan Rosenberg <drosenberg@vsecurity.com>

CVE-2010-4082

BugLink: http://bugs.launchpad.net/bugs/712744

The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user.  This patch takes care of
it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>

(cherry-picked from commit b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 drivers/video/via/ioctl.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)
Tim Gardner - Feb. 4, 2011, 7:44 p.m.
On 02/04/2011 10:26 AM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg@vsecurity.com>
>
> CVE-2010-4082
>
> BugLink: http://bugs.launchpad.net/bugs/712744
>
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user.  This patch takes care of
> it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>
> Signed-off-by: Florian Tobias Schandinat<FlorianSchandinat@gmx.de>
>
> (cherry-picked from commit b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca)
> Signed-off-by: Brad Figg<brad.figg@canonical.com>
> ---
>   drivers/video/via/ioctl.c |    2 ++
>   1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
> index da03c07..4d553d0 100644
> --- a/drivers/video/via/ioctl.c
> +++ b/drivers/video/via/ioctl.c
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
>   {
>   	struct viafb_ioctl_info viainfo;
>
> +	memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
> +
>   	viainfo.viafb_id = VIAID;
>   	viainfo.vendor_id = PCI_VIA_VENDOR_ID;
>

Acked-by: Tim Gardner <tim.gardner@canonical.com>
Stefan Bader - Feb. 7, 2011, 10:48 a.m.
On 02/04/2011 06:26 PM, Brad Figg wrote:
> From: Dan Rosenberg <drosenberg@vsecurity.com>
> 
> CVE-2010-4082
> 
> BugLink: http://bugs.launchpad.net/bugs/712744
> 
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user.  This patch takes care of
> it.
> 
> Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
> 
> (cherry-picked from commit b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/video/via/ioctl.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
> index da03c07..4d553d0 100644
> --- a/drivers/video/via/ioctl.c
> +++ b/drivers/video/via/ioctl.c
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
>  {
>  	struct viafb_ioctl_info viainfo;
>  
> +	memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
> +
>  	viainfo.viafb_id = VIAID;
>  	viainfo.vendor_id = PCI_VIA_VENDOR_ID;
>

Patch

diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
index da03c07..4d553d0 100644
--- a/drivers/video/via/ioctl.c
+++ b/drivers/video/via/ioctl.c
@@ -25,6 +25,8 @@  int viafb_ioctl_get_viafb_info(u_long arg)
 {
 	struct viafb_ioctl_info viainfo;
 
+	memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
+
 	viainfo.viafb_id = VIAID;
 	viainfo.vendor_id = PCI_VIA_VENDOR_ID;