git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Stefan Richter <stefanr@s5r6.in-berlin.de>
	Sat, 6 Oct 2012 12:12:56 +0000 (14:12 +0200)
committer	Ben Hutchings <ben@decadent.org.uk>
	Wed, 17 Oct 2012 02:49:48 +0000 (03:49 +0100)
commit	e69e19924bdbfb7a44ac64c206d5cbcae57910ed
tree	8a55df3ad729a440a66d70c098546e0ea19a2099	tree \| snapshot
parent	c1bc78797baaf98cb565d0c4afcb8ef26bb28655	commit \| diff

firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel)

commit 790198f74c9d1b46b6a89504361b1a844670d050 upstream.

Fix two bugs of the /dev/fw* character device concerning the
FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
(Practically all /dev/fw* clients issue this ioctl right after opening
the device.)

Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
without natural alignment and 40 with natural alignment.

1) Memory corruption, affecting i386 userland on amd64 kernel:
    Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
    This has been first found and reported against libraw1394 if
    compiled with gcc 4.7 which happens to order libraw1394's stack such
    that the bug became visible as data corruption.

2) Information leak, affecting all kernel architectures except i386:
    4 bytes of random kernel stack data were leaked to userspace.

Hence limit the respective copy_to_user() to the 32-bit aligned size of
struct fw_cdev_event_bus_reset.

Reported-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>