lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <91456a7b-cd05-c832-8af1-6d416adf728a@tuxfamily.org>
Date:   Sat, 5 Aug 2017 09:12:03 +0200
From:   Thomas Huth <huth@...family.org>
To:     sohu0106 <sohu0106@....com>
Cc:     Heiko Carstens <heiko.carstens@...ibm.com>, schwidefsky@...ibm.com,
        linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: drivers/s390/char/keyboard.c kernel stack infoleak

On 05.08.2017 03:57, sohu0106 wrote:
> My idea is 
> 
> struct kbdiacr {
>         unsigned char diacr, base, result;
> };
> 
> sizeof(struct kbdiacr)=4  
> 
> here we just set 3 bytes 
> case KDGKBDIACR:
> {
> struct kbdiacrs __user *a = argp;
> struct kbdiacr diacr;
> int i;
> 
> if (put_user(kbd->accent_table_size, &a->kb_cnt))
> return -EFAULT;
> for (i = 0; i < kbd->accent_table_size; i++) {
> diacr.diacr = kbd->accent_table[i].diacr;
> diacr.base = kbd->accent_table[i].base;
> diacr.result = kbd->accent_table[i].result;
> if (copy_to_user(a->kbdiacr + i, &diacr, sizeof(struct kbdiacr)))
> Is there anything I haven't noticed?

Yes: sizeof(struct kbdiacr) is 3 here.

 Thomas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ