git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Wed, 7 Apr 2010 06:30:50 +0000 (08:30 +0200)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Thu, 9 Dec 2010 21:26:48 +0000 (13:26 -0800)
commit	6f3fc70b17939b2b3786198d6d5f30c2066516c9
tree	a7881aad79df80d66437b639158b60c6e8fcb409	tree \| snapshot
parent	fda45f0be5c9d1671b6bc5b35b6143360f2b10bd	commit \| diff

firewire: cdev: fix information leak

commit 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c upstream.

A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).

Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls.  This way, there is almost no runtime penalty to legitimate
ioctls.  The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.

[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number.  However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]

Reported-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[ Backported to 2.6.32 firewire core -maks ]
Signed-off-by: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>