lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Sep 2010 01:30:36 -0400 From: Dan Rosenberg <drosenberg@...curity.com> To: David Miller <davem@...emloft.net> Cc: grundler@...isc-linux.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, kyle@...artin.ca, jeffm@...e.com, security@...nel.org Subject: [PATCH v4] drivers/net/tulip/de4x5.c: fix union member name in DE4X5_GET_REG ioctl Tiring doesn't begin to describe it. Formatting undamaged. This was previously reported as a security issue due to leakage of uninitialized stack memory. Jeff Mahoney pointed out that this is incorrect since the copied data is from a union (rather than a struct). Therefore, this patch is only under consideration for the sake of correctness, and is not security relevant. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@...il.com> Acked-by: Grant Grundler <grundler@...isc-linux.org> --- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-14 21:26:52.499474207 -0400 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru tmp.lval[6] = inl(DE4X5_STRR); j+=4; tmp.lval[7] = inl(DE4X5_SIGR); j+=4; ioc->len = j; - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT; + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT; break; #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists