diff mbox

[Lucid,CVE-2013-2164] drivers/cdrom/cdrom.c: use kzalloc() for failing hardware

Message ID 1373288282-2538-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques July 8, 2013, 12:58 p.m. UTC 
From: Jonathan Salwan <jonathan.salwan@gmail.com>

BugLink: http://bugs.launchpad.net/bugs/1191463

CVE-2013-2164

In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
area with kmalloc in line 2885.

  2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
  2886         if (cgc->buffer == NULL)
  2887                 return -ENOMEM;

In line 2908 we can find the copy_to_user function:

  2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))

The cgc->buffer is never cleaned and initialized before this function.
If ret = 0 with the previous basic block, it's possible to display some
memory bytes in kernel space from userspace.

When we read a block from the disk it normally fills the ->buffer but if
the drive is malfunctioning there is a chance that it would only be
partially filled.  The result is an leak information to userspace.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/cdrom/cdrom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Tim Gardner July 8, 2013, 1:41 p.m. UTC | #1 
On 07/08/2013 06:58 AM, Luis Henriques wrote:
> From: Jonathan Salwan <jonathan.salwan@gmail.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/1191463
> 
> CVE-2013-2164
> 
> In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
> area with kmalloc in line 2885.
> 
>   2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
>   2886         if (cgc->buffer == NULL)
>   2887                 return -ENOMEM;
> 
> In line 2908 we can find the copy_to_user function:
> 
>   2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
> 
> The cgc->buffer is never cleaned and initialized before this function.
> If ret = 0 with the previous basic block, it's possible to display some
> memory bytes in kernel space from userspace.
> 
> When we read a block from the disk it normally fills the ->buffer but if
> the drive is malfunctioning there is a chance that it would only be
> partially filled.  The result is an leak information to userspace.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Jens Axboe <axboe@kernel.dk>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  drivers/cdrom/cdrom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
> index bd69110..80e5654 100644
> --- a/drivers/cdrom/cdrom.c
> +++ b/drivers/cdrom/cdrom.c
> @@ -2822,7 +2822,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
>  	if (lba < 0)
>  		return -EINVAL;
>  
> -	cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
> +	cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
>  	if (cgc->buffer == NULL)
>  		return -ENOMEM;
>  
>
diff mbox

Patch

diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index bd69110..80e5654 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2822,7 +2822,7 @@  static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
 	if (lba < 0)
 		return -EINVAL;
 
-	cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+	cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
 	if (cgc->buffer == NULL)
 		return -ENOMEM;