oss-sec mailing list archives
Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE
From: Dan Carpenter <dan.carpenter () oracle com>
Date: Mon, 8 Apr 2013 21:44:33 +0300
On Mon, Apr 08, 2013 at 10:18:30PM +0530, P J P wrote:
Hello Dan,
+-- On Mon, 8 Apr 2013, Dan Carpenter wrote --+
| The x86 version is ok but asm-generic version of get_user() doesn't clear x.
|
| include/asm-generic/uaccess.h
|
| 226 #define get_user(x, ptr) \
| 227 ({ \
| 228 might_sleep(); \
| 229 access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
| 230 __get_user(x, ptr) : \
| 231 -EFAULT; \
| 232 })
Here, following call sequence ensures that 'x' is always initialised with
^^^^^^ ???
user memory contents.
get_user
-> __get_user
-> __get_user_fn
-> __copy_from_user
Unless `access_ok()' in `__get_user' returns 0, which it does not, OR
sizeof(*ptr) is > 8 bytes.
I'm confused why you are using the word "always" and "Unless `access_ok()' in `__get_user' returns 0". I don't understand what you are saying. Anyway, the bottom line is that the x86 version of get_user() doesn't have an info leak and the asm-generic version does. regards, dan carpenter
Current thread:
- CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Marcus Meissner (Apr 05)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Kurt Seifried (Apr 05)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 09)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)