[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Apr 2013 21:44:33 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: P J P <ppandit@...hat.com>
Cc: oss security list <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: kernel information leak in
fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE
On Mon, Apr 08, 2013 at 10:18:30PM +0530, P J P wrote:
> Hello Dan,
> +-- On Mon, 8 Apr 2013, Dan Carpenter wrote --+
> | The x86 version is ok but asm-generic version of get_user() doesn't clear x.
> |
> | include/asm-generic/uaccess.h
> |
> | 226 #define get_user(x, ptr) \
> | 227 ({ \
> | 228 might_sleep(); \
> | 229 access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \
> | 230 __get_user(x, ptr) : \
> | 231 -EFAULT; \
> | 232 })
>
> Here, following call sequence ensures that 'x' is always initialised with
^^^^^^ ???
> user memory contents.
>
> get_user
> -> __get_user
> -> __get_user_fn
> -> __copy_from_user
>
> Unless `access_ok()' in `__get_user' returns 0, which it does not, OR
> sizeof(*ptr) is > 8 bytes.
I'm confused why you are using the word "always" and "Unless
`access_ok()' in `__get_user' returns 0". I don't understand what
you are saying.
Anyway, the bottom line is that the x86 version of get_user()
doesn't have an info leak and the asm-generic version does.
regards,
dan carpenter
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
