[Karmic][ [CVE-2010-4082] [PATCH 1/1] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory, CVE-2010-4082
Brad Figg
brad.figg at canonical.com
Fri Feb 4 17:26:40 UTC 2011
From: Dan Rosenberg <drosenberg at vsecurity.com>
CVE-2010-4082
BugLink: http://bugs.launchpad.net/bugs/712744
The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
bytes of uninitialized stack memory, because the "reserved" member of
the viafb_ioctl_info struct declared on the stack is not altered or
zeroed before being copied back to the user. This patch takes care of
it.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat at gmx.de>
(cherry-picked from commit b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
drivers/video/via/ioctl.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
index da03c07..4d553d0 100644
--- a/drivers/video/via/ioctl.c
+++ b/drivers/video/via/ioctl.c
@@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
{
struct viafb_ioctl_info viainfo;
+ memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
+
viainfo.viafb_id = VIAID;
viainfo.vendor_id = PCI_VIA_VENDOR_ID;
--
1.7.3.5
More information about the kernel-team
mailing list