Re: CVE requests: Three Linux kernel issues

[Eugene Teo <eugene () redhat com>]

> [1] http://permalink.gmane.org/gmane.linux.kernel/1124411 :
>
> | PATCH] char: briq_panel: fix TOCTOU bug
> |
> | There is a TOCTOU bug in briq_panel_write() code:
> |
> |     if (vfd_cursor>  39)<<<
> |             scroll_vfd();
> |     vfd[vfd_cursor++] = c;<<<
> |
> | It's possible to write to arbitrary memory location in case of more than
> | one process tries to call write() simultaneously.

This shouldn't happen as this is protected using tty_lock to only allow 
single access to it at any one time. So having more than one processes 
writing to it is unlikely. No CVE for this one.

> [2] http://permalink.gmane.org/gmane.linux.kernel/1124410 :
>
> | [PATCH] char: genrtc: fix infoleak to userspace
> |
> | struct pll is copied to userspace.  It is filled in "multiplexing" function
> | get_rtc_pll().  At least one implementator, q40_get_rtc_pll(), doesn't
> | fill .pll_ctrl field.  It's hard to understand whether either the caller
> | or the callee must zero the unused struct fields, however, on another
> | ioctl commands the caller already zeroes the structure.  So, let's the
> | caller use memset().

No CVE for this one too; /dev/rtc is root read/write only.

Thanks.

Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }