oss-sec mailing list archives
Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE
From: Dan Carpenter <dan.carpenter () oracle com>
Date: Mon, 8 Apr 2013 21:44:33 +0300
On Mon, Apr 08, 2013 at 10:18:30PM +0530, P J P wrote:
Hello Dan, +-- On Mon, 8 Apr 2013, Dan Carpenter wrote --+ | The x86 version is ok but asm-generic version of get_user() doesn't clear x. | | include/asm-generic/uaccess.h | | 226 #define get_user(x, ptr) \ | 227 ({ \ | 228 might_sleep(); \ | 229 access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \ | 230 __get_user(x, ptr) : \ | 231 -EFAULT; \ | 232 }) Here, following call sequence ensures that 'x' is always initialised with
^^^^^^ ???
user memory contents. get_user -> __get_user -> __get_user_fn -> __copy_from_user Unless `access_ok()' in `__get_user' returns 0, which it does not, OR sizeof(*ptr) is > 8 bytes.
I'm confused why you are using the word "always" and "Unless `access_ok()' in `__get_user' returns 0". I don't understand what you are saying. Anyway, the bottom line is that the x86 version of get_user() doesn't have an info leak and the asm-generic version does. regards, dan carpenter
Current thread:
- CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Marcus Meissner (Apr 05)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Kurt Seifried (Apr 05)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 09)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)