lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Jul 2020 16:42:14 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Denis Efremov <efremov@...ux.com> Cc: Peilin Ye <yepeilin.cs@...il.com>, Jens Axboe <axboe@...nel.dk>, Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org, linux-block@...r.kernel.org, linux-kernel-mentees@...ts.linuxfoundation.org Subject: Re: [Linux-kernel-mentees] [PATCH v2] block/floppy: Prevent kernel-infoleak in raw_cmd_copyout() On Wed, Jul 29, 2020 at 04:22:41PM +0300, Denis Efremov wrote: > > On 7/29/20 3:58 PM, Dan Carpenter wrote: > > Argh... This isn't right still. The "ptr" comes from raw_cmd_copyin() > > > > ptr = kmalloc(sizeof(struct floppy_raw_cmd), GFP_KERNEL); > > > > copy_from_user overwrites the padding bytes: > ptr = kmalloc(sizeof(struct floppy_raw_cmd), GFP_KERNEL); > if (!ptr) > return -ENOMEM; > *rcmd = ptr; > ret = copy_from_user(ptr, param, sizeof(*ptr)); > > I think memcpy should be safe in this patch. Oh yeah. You're right. My bad. I just saw the: ptr->next = NULL; ptr->buffer_length = 0; ptr->kernel_data = NULL; Assignments and I missed the copy_from_user. regards, dan carpenter
Powered by blists - more mailing lists