[patch] agp: potential info leak in compat_agpioc_info_wrap()

From: Dan Carpenter
Date: Fri Sep 23 2011 - 02:19:58 EST

Next message: Mike Galbraith: "[patch] cpusets: allow PF_THREAD_BOUND kworkers to escape from acpuset"
Previous message: Dan Carpenter: "[patch] dma/timberdale: free_irq() on an error path"
Next in thread: Eric Dumazet: "Re: [patch] agp: potential info leak in compat_agpioc_info_wrap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

The agp_info32 struct has a 4 byte hole in it so we need to clear
that before copying it to userspace.

struct agp_info32 {
struct agp_version version; /* 0 0 */

/* XXX 4 bytes hole, try to pack */

u32 bridge_id; /* 4 4 */

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
index a48e05b..0509497 100644
--- a/drivers/char/agp/compat_ioctl.c
+++ b/drivers/char/agp/compat_ioctl.c
@@ -42,6 +42,8 @@ static int compat_agpioc_info_wrap(struct agp_file_private *priv, void __user *a

agp_copy_info(agp_bridge, &kerninfo);

+ memset(&userinfo, 0, sizeof(userinfo));
+
userinfo.version.major = kerninfo.version.major;
userinfo.version.minor = kerninfo.version.minor;
userinfo.bridge_id = kerninfo.device->vendor |
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Galbraith: "[patch] cpusets: allow PF_THREAD_BOUND kworkers to escape from acpuset"
Previous message: Dan Carpenter: "[patch] dma/timberdale: free_irq() on an error path"
Next in thread: Eric Dumazet: "Re: [patch] agp: potential info leak in compat_agpioc_info_wrap()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]