|
Message-ID: <20130408184433.GS18466@mwanda> Date: Mon, 8 Apr 2013 21:44:33 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: P J P <ppandit@...hat.com> Cc: oss security list <oss-security@...ts.openwall.com> Subject: Re: CVE Request: kernel information leak in fs/compat_ioctl.c VIDEO_SET_SPU_PALETTE On Mon, Apr 08, 2013 at 10:18:30PM +0530, P J P wrote: > Hello Dan, > +-- On Mon, 8 Apr 2013, Dan Carpenter wrote --+ > | The x86 version is ok but asm-generic version of get_user() doesn't clear x. > | > | include/asm-generic/uaccess.h > | > | 226 #define get_user(x, ptr) \ > | 227 ({ \ > | 228 might_sleep(); \ > | 229 access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ? \ > | 230 __get_user(x, ptr) : \ > | 231 -EFAULT; \ > | 232 }) > > Here, following call sequence ensures that 'x' is always initialised with ^^^^^^ ??? > user memory contents. > > get_user > -> __get_user > -> __get_user_fn > -> __copy_from_user > > Unless `access_ok()' in `__get_user' returns 0, which it does not, OR > sizeof(*ptr) is > 8 bytes. I'm confused why you are using the word "always" and "Unless `access_ok()' in `__get_user' returns 0". I don't understand what you are saying. Anyway, the bottom line is that the x86 version of get_user() doesn't have an info leak and the asm-generic version does. regards, dan carpenter
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.