Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20130408134930.GA10990@mwanda>
Date: Mon, 8 Apr 2013 16:49:30 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: oss-security@...ts.openwall.com
Cc: P J P <ppandit@...hat.com>
Subject: Re: CVE Request: kernel information leak in
 fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE

On Mon, Apr 08, 2013 at 06:30:02PM +0530, P J P wrote:
>   Hi,
> +-- On Fri, 5 Apr 2013, Marcus Meissner wrote --+
> | Should also get a CVE.
> | https://github.com/torvalds/linux/commit/12176503366885edd542389eed3aaf94be163fdb
> 
> Comments around get_user() macro say that in case of an error, destination 
> variable @x is set to zero.
> 
>  -> https://github.com/torvalds/linux/blob/master/arch/x86/include/asm/uaccess.h#L134
> 
> Just to confirm, is it the same macro that is called from fs/compat_ioctl.c ?
> 

The x86 verion is ok but asm-generic version of get_user() doesn't
clear x.

include/asm-generic/uaccess.h

   226  #define get_user(x, ptr)                                        \
   227  ({                                                              \
   228          might_sleep();                                          \
   229          access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ?             \
   230                  __get_user(x, ptr) :                            \
   231                  -EFAULT;                                        \
   232  })

regards,
dan carpenter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.