[Karmic] [CVE-2010-4079] [PATCH 1/1] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory, CVE-2010-4079
Tim Gardner
tim.gardner at canonical.com
Wed Jan 26 04:32:08 UTC 2011
On 01/25/2011 07:12 PM, Brad Figg wrote:
> From: Dan Rosenberg<drosenberg at vsecurity.com>
>
> CVE-2010-4079
>
> BugLink: http://bugs.launchpad.net/bugs/707649
>
> Released by: 2.6.32.y stable upstream
>
> The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
> bytes of uninitialized stack memory, because the "reserved" member of
> the fb_vblank struct declared on the stack is not altered or zeroed
> before being copied back to the user. This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg at gmail.com>
> Signed-off-by: Andy Walls<awalls at md.metrocast.net>
> Signed-off-by: Mauro Carvalho Chehab<mchehab at redhat.com>
>
> (cherry-picked from commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9)
> Signed-off-by: Brad Figg<brad.figg at canonical.com>
> ---
> drivers/media/video/ivtv/ivtvfb.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/media/video/ivtv/ivtvfb.c b/drivers/media/video/ivtv/ivtvfb.c
> index fa6bb85..6b61bb6 100644
> --- a/drivers/media/video/ivtv/ivtvfb.c
> +++ b/drivers/media/video/ivtv/ivtvfb.c
> @@ -457,6 +457,8 @@ static int ivtvfb_ioctl(struct fb_info *info, unsigned int cmd, unsigned long ar
> struct fb_vblank vblank;
> u32 trace;
>
> + memset(&vblank, 0, sizeof(struct fb_vblank));
> +
> vblank.flags = FB_VBLANK_HAVE_COUNT |FB_VBLANK_HAVE_VCOUNT |
> FB_VBLANK_HAVE_VSYNC;
> trace = read_reg(0x028c0)>> 16;
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list