oss-sec mailing list archives

Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE

From: P J P <ppandit () redhat com>
Date: Mon, 8 Apr 2013 22:18:30 +0530 (IST)

  Hello Dan,
+-- On Mon, 8 Apr 2013, Dan Carpenter wrote --+
| The x86 version is ok but asm-generic version of get_user() doesn't clear x.
| 
| include/asm-generic/uaccess.h
| 
|    226  #define get_user(x, ptr)                                        \
|    227  ({                                                              \
|    228          might_sleep();                                          \
|    229          access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ?             \
|    230                  __get_user(x, ptr) :                            \
|    231                  -EFAULT;                                        \
|    232  })

  Here, following call sequence ensures that 'x' is always initialised with 
user memory contents.

 get_user
  -> __get_user
   -> __get_user_fn
    -> __copy_from_user

Unless `access_ok()' in `__get_user' returns 0, which it does not, OR 
sizeof(*ptr) is > 8 bytes.

Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB  C939 D048 7860 3655 602B

Current thread:

CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Marcus Meissner (Apr 05)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Kurt Seifried (Apr 05)
- Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
  - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE Dan Carpenter (Apr 08)
    - Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE P J P (Apr 09)