Potential kernel address leakage in driver/atm.

From: Fuqian Huang
Date: Mon Apr 15 2019 - 11:03:24 EST

Next message: Johan Hovold: "Re: [PATCH] Staging: greybus: Cleanup in header file control.h"
Previous message: Jan Kara: "Re: [PATCH v1 10/15] block: add gup flag to bio_add_page()/bio_add_pc_page()/__bio_add_page()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, recently I found that there is a kernel address leakage to user
space via copy_to_user in
drivers/atm/iphase.c:2772 (linux-5.0.7)
In ia_ioctl, when cmd is MEMDUMP_DEV, copy_to_user will copy struct
IADEV from ia_dev[board] to user space.
The struct is initialized in ia_init_one(line 3185/3211) and the pci
and next_board field are kernel pointers assigned in line 3191 and
3224.

Related code:
static int ia_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
{
...
iadev = kzalloc(...);
...
iadev->pci = pdev;
...
iadev->next_board = ia_boards;
...
}

static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg)
{
...
IADEV *iadev;
...
iadev = ia_dev[board];
...
switch (ia_cmds.cmd) {
...
case MEMDUMP_DEV:
...
if (copy_to_user(ia_cmds.buf, iadev, sizeof(IADEV)))
...
}
}

Next message: Johan Hovold: "Re: [PATCH] Staging: greybus: Cleanup in header file control.h"
Previous message: Jan Kara: "Re: [PATCH v1 10/15] block: add gup flag to bio_add_page()/bio_add_pc_page()/__bio_add_page()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]