Re: [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitializedstack memory

From: Jeff Mahoney
Date: Wed Sep 15 2010 - 11:42:52 EST


On 09/11/2010 07:46 PM, Dan Rosenberg wrote:
The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
bytes of uninitialized stack memory, because it copies the
uninitialized "addr" member instead of the intended "lval" member.
This patch takes care of it.

Signed-off-by: Dan Rosenberg<dan.j.rosenberg@xxxxxxxxx>

No. This patch may be considered for correctness, but there's no security issue here.

'tmp' is a union, not a struct. Writes to lval are the same as writes to addr. The length is correctly determined so that only initialized memory is used.

-Jeff

--- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c 2010-09-11
19:12:27.000000000 -0400
+++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-11 19:17:12.000000000 -0400
@@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
tmp.lval[6] = inl(DE4X5_STRR); j+=4;
tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
ioc->len = j;
- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
+ if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
break;

#define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


--
Jeff Mahoney
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/