Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Jan 2015 14:03:17 +0100
From: Pavel Machek <pavel@....cz>
To: "Mehaffey, John" <John_Mehaffey@...tor.com>,
	oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel information leak in
 event device handling

On Wed 2015-01-21 13:49:45, Petr Matousek wrote:
> On Tue, Jan 20, 2015 at 03:23:19PM +0000, Mehaffey, John wrote:
> > > From: Marcus Meissner [meissner@...e.de]
> > > Sent: Tuesday, January 20, 2015 6:43 AM
> > > To: OSS Security List
> > > Subject: [oss-security] CVE Request: Linux kernel information leak in event device handling
> > >
> > > Hi,
> > >
> > > This needs a CVE, information leak out of the kernel.
> > >
> > > This probably was introduced by commit 483180281f0ac60d1138710eb21f4b9961901294
> > > in Linux 3.9.
> > >
> > > Ciao, Marcus
> > >
> > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7c4f56070fde2367766fa1fb04852599b5e1ad35
> > > https://bugzilla.suse.com/show_bug.cgi?id=904899
> > >
> > > Input: evdev - fix EVIOCG{type} ioctl
> > >
> > > The 'max' size passed into the function is measured in number of bits
> > > (KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before
> > > trying to copy the data out, otherwise we will try copying too much
> > > and end up with up with a page fault.
> > >
> > > Reported-by: Pavel Machek <pavel@....cz>
> > > Reviewed-by: Pavel Machek <pavel@....cz>
> > > Reviewed-by: David Herrmann <dh.herrmann@...il.com>
> > > Signed-off-by: Dmitry Torokhov <dmitry.torokhov@...il.com>
> > 
> > I don't see how this could leak information to the user.
> > 
> > Without the patch, too much memory is allocated internally in the driver, and too much data is copied into that buffer (potentially causing a page fault) but the same, correct amount of data is copied out to the user both before and after this patch.
> 
> @Pavel -- did you encounter the page fault? Looking at the code, even
> the oversized copy from dev->sw looks to be satisfied by the remaining
> fields in input_dev structure.

Yes. I guess you could search the original report somewhere...
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ