This is a note to let you know that I've just added the patch titled
firewire: cdev: fix information leak
to the 2.6.32-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
firewire-cdev-fix-information-leak.patch
and it can be found in the queue-2.6.32 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c Mon Sep 17 00:00:00 2001
From: Stefan Richter <[email protected]>
Date: Wed, 7 Apr 2010 08:30:50 +0200
Subject: firewire: cdev: fix information leak
From: Stefan Richter <[email protected]>
commit 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c upstream.
A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).
Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls. This way, there is almost no runtime penalty to legitimate
ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.
[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number. However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]
Reported-by: Clemens Ladisch <[email protected]>
Signed-off-by: Stefan Richter <[email protected]>
[ Backported to 2.6.32 firewire core -maks ]
Signed-off-by: maximilian attems <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/firewire/core-cdev.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1299,24 +1299,24 @@ static int dispatch_ioctl(struct client
int ret;
if (_IOC_TYPE(cmd) != '#' ||
- _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers))
+ _IOC_NR(cmd) >= ARRAY_SIZE(ioctl_handlers) ||
+ _IOC_SIZE(cmd) > sizeof(buffer))
return -EINVAL;
- if (_IOC_DIR(cmd) & _IOC_WRITE) {
- if (_IOC_SIZE(cmd) > sizeof(buffer) ||
- copy_from_user(buffer, arg, _IOC_SIZE(cmd)))
+ if (_IOC_DIR(cmd) == _IOC_READ)
+ memset(&buffer, 0, _IOC_SIZE(cmd));
+
+ if (_IOC_DIR(cmd) & _IOC_WRITE)
+ if (copy_from_user(buffer, arg, _IOC_SIZE(cmd)))
return -EFAULT;
- }
ret = ioctl_handlers[_IOC_NR(cmd)](client, buffer);
if (ret < 0)
return ret;
- if (_IOC_DIR(cmd) & _IOC_READ) {
- if (_IOC_SIZE(cmd) > sizeof(buffer) ||
- copy_to_user(arg, buffer, _IOC_SIZE(cmd)))
+ if (_IOC_DIR(cmd) & _IOC_READ)
+ if (copy_to_user(arg, buffer, _IOC_SIZE(cmd)))
return -EFAULT;
- }
return ret;
}
Patches currently in stable-queue which might be from [email protected]
are
queue-2.6.32/firewire-ohci-fix-race-in-ar-split-packet-handling.patch
queue-2.6.32/firewire-cdev-fix-information-leak.patch
queue-2.6.32/firewire-core-fix-an-information-leak.patch
queue-2.6.32/firewire-ohci-fix-buffer-overflow-in-ar-split-packet-handling.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
