diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-04-07 08:30:50 +0200 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-04-10 16:51:13 +0200 |
commit | 9cac00b8f0079d5d3d54ec4dae453d58dec30e7c (patch) | |
tree | 902b5f22c553395e5bab8c7561b996f19584e7f6 /include | |
parent | 385ab5bcd4be586dffdba550b310308d89eade71 (diff) | |
download | op-kernel-dev-9cac00b8f0079d5d3d54ec4dae453d58dec30e7c.zip op-kernel-dev-9cac00b8f0079d5d3d54ec4dae453d58dec30e7c.tar.gz |
firewire: cdev: fix information leak
A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).
Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls. This way, there is almost no runtime penalty to legitimate
ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.
[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number. However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]
Reported-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions