Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Jan 2015 13:49:45 +0100
From: Petr Matousek <pmatouse@...hat.com>
To: pavel@....cz
Cc: "Mehaffey, John" <John_Mehaffey@...tor.com>,
        oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel information leak in
 event device handling

On Tue, Jan 20, 2015 at 03:23:19PM +0000, Mehaffey, John wrote:
> > From: Marcus Meissner [meissner@...e.de]
> > Sent: Tuesday, January 20, 2015 6:43 AM
> > To: OSS Security List
> > Subject: [oss-security] CVE Request: Linux kernel information leak in event device handling
> >
> > Hi,
> >
> > This needs a CVE, information leak out of the kernel.
> >
> > This probably was introduced by commit 483180281f0ac60d1138710eb21f4b9961901294
> > in Linux 3.9.
> >
> > Ciao, Marcus
> >
> > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7c4f56070fde2367766fa1fb04852599b5e1ad35
> > https://bugzilla.suse.com/show_bug.cgi?id=904899
> >
> > Input: evdev - fix EVIOCG{type} ioctl
> >
> > The 'max' size passed into the function is measured in number of bits
> > (KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before
> > trying to copy the data out, otherwise we will try copying too much
> > and end up with up with a page fault.
> >
> > Reported-by: Pavel Machek <pavel@....cz>
> > Reviewed-by: Pavel Machek <pavel@....cz>
> > Reviewed-by: David Herrmann <dh.herrmann@...il.com>
> > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@...il.com>
> 
> I don't see how this could leak information to the user.
> 
> Without the patch, too much memory is allocated internally in the driver, and too much data is copied into that buffer (potentially causing a page fault) but the same, correct amount of data is copied out to the user both before and after this patch.

@Pavel -- did you encounter the page fault? Looking at the code, even
the oversized copy from dev->sw looks to be satisfied by the remaining
fields in input_dev structure.

Thanks,
-- 
Petr Matousek / Red Hat Product Security
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ