Re: [PATCH] drivers/video/via/ioctl.c: prevent reading uninitialized
From: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Date: 2010-09-15 22:42:21
Also in:
lkml
Hi, Dan Rosenberg schrieb:
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 1968 bytes of uninitialized stack memory, because the "reserved" member of the viafb_ioctl_info struct declared on the stack is not altered or zeroed before being copied back to the user. This patch takes care of it.
I am wondering about the number of bytes as sizeof(struct viafb_ioctl_info) = 256 so it should be a bit less. But that's just nitpicking, the issue is certainly real. Your patch does the right thing but there is a bug in it:
quoted hunk ↗ jump to hunk
Signed-off-by: Dan Rosenberg <redacted>--- linux-2.6.35.4.orig/drivers/video/via/ioctl.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.4/drivers/video/via/ioctl.c 2010-09-15 11:53:29.997375748 -0400@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar { struct viafb_ioctl_info viainfo; + memset(&viainfo, 0, sizeof(struct viafb_ioctl));
Shouldn't it be sizeof(struct viafb_ioctl_info) or sizeof(viainfo) ? At least here it does not even compile otherwise.... Thanks, Florian Tobias Schandinat