The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
Hello Dan,
===
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device
*bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
...
===
This exact same patch was included back in 2010 by Mr Vasiliy Kulikov.
-> https://git.kernel.org/linus/7ab5118d7c2be650bc936894f159dc1c597badae
But there is no entry/log of its reversal. Any idea why was it removed?
Thank you.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
On Tue, Jun 04, 2013 at 04:09:10PM +0530, P J P wrote:
> Hello Dan,
> ===
> diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
> index 6374dc1..34971aa 100644
> --- a/drivers/block/cciss.c
> +++ b/drivers/block/cciss.c
> @@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct
> block_device *bdev, fmode_t mode,
> int err;
> u32 cp;
>
> + memset(&arg64, 0, sizeof(arg64));
> ...
> ===
>
> This exact same patch was included back in 2010 by Mr Vasiliy Kulikov.
>
> -> https://git.kernel.org/linus/7ab5118d7c2be650bc936894f159dc1c597badae
>
> But there is no entry/log of its reversal. Any idea why was it removed?
No no. Vasily patched cciss_ioctl32_big_passthru() and this patch
changes cciss_ioctl32_passthru().
regards,
dan carpenter
| No no. Vasily patched cciss_ioctl32_big_passthru() and this patch
| changes cciss_ioctl32_passthru().
Oops, yeah, I missed the `big' part!
Thanks.
--
Prasad J Pandit / Red Hat Security Response Team
DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would
cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
-----Original Message-----
From: Dan Carpenter [mailto:[email protected]]
Sent: Wednesday, September 11, 2013 2:39 AM
To: Miller, Mike (OS Dev); Andrew Morton
Cc: ISS StorageDev; [email protected]; [email protected]; Moritz Muehlenhoff
Subject: [patch -resend] cciss: info leak in cciss_ioctl32_passthru()
The arg64 struct has a hole after ->buf_size which isn't cleared.
Or if any of the calls to copy_from_user() fail then that would cause an information leak as well.
This was assigned CVE-2013-2147.
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Mike Miller <[email protected]>
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 6374dc1..34971aa 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
int err;
u32 cp;
+ memset(&arg64, 0, sizeof(arg64));
err = 0;
err |=
copy_from_user(&arg64.LUN_info, &arg32->LUN_info,