Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130408184433.GS18466@mwanda>
Date: Mon, 8 Apr 2013 21:44:33 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: P J P <ppandit@...hat.com>
Cc: oss security list <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: kernel information leak in
 fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE

On Mon, Apr 08, 2013 at 10:18:30PM +0530, P J P wrote:
>   Hello Dan,
> +-- On Mon, 8 Apr 2013, Dan Carpenter wrote --+
> | The x86 version is ok but asm-generic version of get_user() doesn't clear x.
> | 
> | include/asm-generic/uaccess.h
> | 
> |    226  #define get_user(x, ptr)                                        \
> |    227  ({                                                              \
> |    228          might_sleep();                                          \
> |    229          access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ?             \
> |    230                  __get_user(x, ptr) :                            \
> |    231                  -EFAULT;                                        \
> |    232  })
> 
>   Here, following call sequence ensures that 'x' is always initialised with 
                                                      ^^^^^^ ???
> user memory contents.
> 
>  get_user
>   -> __get_user
>    -> __get_user_fn
>     -> __copy_from_user
> 
> Unless `access_ok()' in `__get_user' returns 0, which it does not, OR 
> sizeof(*ptr) is > 8 bytes.

I'm confused why you are using the word "always" and "Unless
`access_ok()' in `__get_user' returns 0".  I don't understand what
you are saying.

Anyway, the bottom line is that the x86 version of get_user()
doesn't have an info leak and the asm-generic version does.

regards,
dan carpenter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.