ACK: [lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] staging: comedi: fix infoleak to userspace
Tim Gardner
tim.gardner at canonical.com
Fri Oct 7 15:51:08 UTC 2011
On 10/07/2011 10:33 AM, Andy Whitcroft wrote:
> From: Vasiliy Kulikov<segoon at openwall.com>
>
> driver_name and board_name are pointers to strings, not buffers of size
> COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing
> less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes.
>
> Signed-off-by: Vasiliy Kulikov<segoon at openwall.com>
> Cc: stable<stable at kernel.org>
> Signed-off-by: Greg Kroah-Hartman<gregkh at suse.de>
>
> (cherry picked from commit 819cbb120eaec7e014e5abd029260db1ca8c5735)
> CVE-2011-2909
> BugLink: http://bugs.launchpad.net/bugs/869261
> Signed-off-by: Andy Whitcroft<apw at canonical.com>
> ---
> drivers/staging/comedi/comedi_fops.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
> index 9d7c993..16d98ce 100644
> --- a/drivers/staging/comedi/comedi_fops.c
> +++ b/drivers/staging/comedi/comedi_fops.c
> @@ -359,8 +359,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, struct comedi_devinfo *ar
> /* fill devinfo structure */
> devinfo.version_code = COMEDI_VERSION_CODE;
> devinfo.n_subdevs = dev->n_subdevices;
> - memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
> - memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
> + strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
> + strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
>
> if (read_subdev)
> devinfo.read_subdevice = read_subdev - dev->subdevices;
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list