[Lucid CVE-2013-1928] fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
Luis Henriques
luis.henriques at canonical.com
Fri Apr 12 13:14:32 UTC 2013
From: Kees Cook <keescook at chromium.org>
CVE-2013-1928
BugLink: http://bugs.launchpad.net/bugs/1167061
The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
while converting ioctl arguments. This could lead to leaking kernel
stack contents into userspace.
Patch extracted from existing fix in grsecurity.
Signed-off-by: Kees Cook <keescook at chromium.org>
Cc: David Miller <davem at davemloft.net>
Cc: Brad Spengler <spender at grsecurity.net>
Cc: PaX Team <pageexec at freemail.hu>
Cc: <stable at vger.kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit 12176503366885edd542389eed3aaf94be163fdb)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
fs/compat_ioctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index c30134b..98d3c58 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd, unsigned
up = (struct compat_video_spu_palette __user *) arg;
err = get_user(palp, &up->palette);
err |= get_user(length, &up->length);
+ if (err)
+ return -EFAULT;
up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
err = put_user(compat_ptr(palp), &up_native->palette);
--
1.8.1.2
More information about the kernel-team
mailing list