| Message ID | X/6sVaewHLPzv00U@mwanda (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
| Series | platform/surface: aggregator: prevent information leak in ssam_cdev_request() | expand |
Hi, On 1/13/21 9:16 AM, Dan Carpenter wrote: > If copy_struct_from_user() fails at the start of the function then this > function calls put_user(rsp.length, &r->response.length) before > "rsp.length" is set to zero. That is a potential security issue because > it discloses kernel stack data to user space. > > Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thank you for your patch, another fix for this was already submitted: https://patchwork.kernel.org/project/platform-driver-x86/patch/20210111154851.325404-2-luzmaximilian@gmail.com/ So I'm dropping this patch from my queue. Regards, Hans > --- > drivers/platform/surface/surface_aggregator_cdev.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c > index 340d15b148b9..05e9eb118d76 100644 > --- a/drivers/platform/surface/surface_aggregator_cdev.c > +++ b/drivers/platform/surface/surface_aggregator_cdev.c > @@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg) > struct ssam_cdev_request __user *r; > struct ssam_cdev_request rqst; > struct ssam_request spec; > - struct ssam_response rsp; > + struct ssam_response rsp = {}; > const void __user *plddata; > void __user *rspdata; > int status = 0, ret = 0, tmp; > @@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg) > spec.flags |= SSAM_REQUEST_UNSEQUENCED; > > rsp.capacity = rqst.response.length; > - rsp.length = 0; > - rsp.pointer = NULL; > > /* Get request payload from user-space. */ > if (spec.length) { >
diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c index 340d15b148b9..05e9eb118d76 100644 --- a/drivers/platform/surface/surface_aggregator_cdev.c +++ b/drivers/platform/surface/surface_aggregator_cdev.c @@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg) struct ssam_cdev_request __user *r; struct ssam_cdev_request rqst; struct ssam_request spec; - struct ssam_response rsp; + struct ssam_response rsp = {}; const void __user *plddata; void __user *rspdata; int status = 0, ret = 0, tmp; @@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg) spec.flags |= SSAM_REQUEST_UNSEQUENCED; rsp.capacity = rqst.response.length; - rsp.length = 0; - rsp.pointer = NULL; /* Get request payload from user-space. */ if (spec.length) {
If copy_struct_from_user() fails at the start of the function then this function calls put_user(rsp.length, &r->response.length) before "rsp.length" is set to zero. That is a potential security issue because it discloses kernel stack data to user space. Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/platform/surface/surface_aggregator_cdev.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)