[Karmic][ [CVE-2010-4082] [PATCH 1/1] drivers/video/via/ioctl.c: prevent reading uninitialized stack memory, CVE-2010-4082
Tim Gardner
tim.gardner at canonical.com
Fri Feb 4 19:44:50 UTC 2011
On 02/04/2011 10:26 AM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg at vsecurity.com>
>
> CVE-2010-4082
>
> BugLink: http://bugs.launchpad.net/bugs/712744
>
> The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246
> bytes of uninitialized stack memory, because the "reserved" member of
> the viafb_ioctl_info struct declared on the stack is not altered or
> zeroed before being copied back to the user. This patch takes care of
> it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg at gmail.com>
> Signed-off-by: Florian Tobias Schandinat<FlorianSchandinat at gmx.de>
>
> (cherry-picked from commit b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca)
> Signed-off-by: Brad Figg<brad.figg at canonical.com>
> ---
> drivers/video/via/ioctl.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/video/via/ioctl.c b/drivers/video/via/ioctl.c
> index da03c07..4d553d0 100644
> --- a/drivers/video/via/ioctl.c
> +++ b/drivers/video/via/ioctl.c
> @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long arg)
> {
> struct viafb_ioctl_info viainfo;
>
> + memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
> +
> viainfo.viafb_id = VIAID;
> viainfo.vendor_id = PCI_VIA_VENDOR_ID;
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list