| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Oct 2020 15:30:16 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Dan Carpenter <dan.carpenter@...cle.com>,
Arnd Bergmann <arnd@...db.de>,
syzbot+85433a479a646a064ab3@...kaller.appspotmail.com,
Peilin Ye <yepeilin.cs@...il.com>, Jens Axboe <axboe@...nel.dk>
Subject: [PATCH 5.8 012/124] block/scsi-ioctl: Fix kernel-infoleak in scsi_put_cdrom_generic_arg()
From: Peilin Ye <yepeilin.cs@...il.com>
commit 6d53a9fe5a1983490bc14b3a64d49fabb4ccc651 upstream.
scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to
userspace, since the compiler may leave a 3-byte hole in the middle of
`cgc32`. Fix it by adding a padding field to `struct
compat_cdrom_generic_command`.
Cc: stable@...r.kernel.org
Fixes: f3ee6e63a9df ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi")
Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
Suggested-by: Arnd Bergmann <arnd@...db.de>
Reported-by: syzbot+85433a479a646a064ab3@...kaller.appspotmail.com
Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
Signed-off-by: Jens Axboe <axboe@...nel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
block/scsi_ioctl.c | 1 +
1 file changed, 1 insertion(+)
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -651,6 +651,7 @@ struct compat_cdrom_generic_command {
compat_int_t stat;
compat_caddr_t sense;
unsigned char data_direction;
+ unsigned char pad[3];
compat_int_t quiet;
compat_int_t timeout;
compat_caddr_t reserved[1];
Powered by blists - more mailing lists