[PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitializedstack memory

[Dan Rosenberg]

The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
bytes of uninitialized stack memory, because it copies the
uninitialized "addr" member instead of the intended "lval" member.
This patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx>

--- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c	2010-09-11
19:12:27.000000000 -0400
+++ linux-2.6.35.4/drivers/net/tulip/de4x5.c	2010-09-11 19:17:12.000000000 -0400
@@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
 	tmp.lval[6] = inl(DE4X5_STRR); j+=4;
 	tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
 	ioc->len = j;
-	if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
+	if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
 	break;

 #define DE4X5_DUMP              0x0f /* Dump the DE4X5 Status */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/