[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTiki4bNP83B2WEPcKnnDqHibxqYyi6V2CjiG9GEO@mail.gmail.com>
Date: Sat, 11 Sep 2010 19:46:38 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: grundler@...isc-linux.org, kyle@...artin.ca
Cc: linux-kernel@...r.kernel.org, security@...nel.org
Subject: [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized
stack memory
The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
bytes of uninitialized stack memory, because it copies the
uninitialized "addr" member instead of the intended "lval" member.
This patch takes care of it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@...il.com>
--- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c 2010-09-11
19:12:27.000000000 -0400
+++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-11 19:17:12.000000000 -0400
@@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
tmp.lval[6] = inl(DE4X5_STRR); j+=4;
tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
ioc->len = j;
- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
+ if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
break;
#define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists