Message ID | 1284586984.6275.92.camel@dan |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Dan Rosenberg <drosenberg@vsecurity.com> Date: Wed, 15 Sep 2010 17:43:04 -0400 > Fixed formatting (tabs and line breaks). > > The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16 > bytes of uninitialized stack memory, because the "master_name" member of > the master_config_t struct declared on the stack in eql_g_master_cfg() > is not altered or zeroed before being copied back to the user. This > patch takes care of it. > > Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- linux-2.6.35.4.orig/drivers/net/eql.c 2010-08-26 19:47:12.000000000 -0400 +++ linux-2.6.35.4/drivers/net/eql.c 2010-09-14 21:25:27.719474445 -0400 @@ -555,6 +555,8 @@ static int eql_g_master_cfg(struct net_d equalizer_t *eql; master_config_t mc; + memset(&mc, 0, sizeof(master_config_t)); + if (eql_is_master(dev)) { eql = netdev_priv(dev); mc.max_slaves = eql->max_slaves;
Fixed formatting (tabs and line breaks). The EQL_GETMASTRCFG device ioctl allows unprivileged users to read 16 bytes of uninitialized stack memory, because the "master_name" member of the master_config_t struct declared on the stack in eql_g_master_cfg() is not altered or zeroed before being copied back to the user. This patch takes care of it. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html