[PATCH] powerpc: kvm: fix information leak to userland
Structure kvm_ppc_pvinfo is copied to userland with flags and
pad fields unitialized. It leads to leaking of contents of
kernel stack memory.
Signed-off-by: Vasiliy Kulikov sego...@gmail.com
---
I cannot compile this driver, so it is not tested at all.
arch/powerpc/kvm/powerpc.c |1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
index 2f87a16..38f756f 100644
--- a/arch/powerpc/kvm/powerpc.c
+++ b/arch/powerpc/kvm/powerpc.c
@@ -617,6 +617,7 @@ long kvm_arch_vm_ioctl(struct file *filp,
switch (ioctl) {
case KVM_PPC_GET_PVINFO: {
struct kvm_ppc_pvinfo pvinfo;
+ memset(pvinfo, 0, sizeof(pvinfo));
r = kvm_vm_ioctl_get_pvinfo(pvinfo);
if (copy_to_user(argp, pvinfo, sizeof(pvinfo))) {
r = -EFAULT;
--
1.7.0.4
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH v2] powerpc: kvm: powerpc: fix information leak to userland
Structure kvm_ppc_pvinfo is copied to userland with flags and pad fields unitialized. It leads to leaking of contents of kernel stack memory. We have to initialize them to zero. In patch v1 Jan Kiszka suggested to fill reserved fields with zeros instead of memset'ting the whole struct. It makes sense as these fields are explicitly marked as padding. No more fields need zeroing. Signed-off-by: Vasiliy Kulikov sego...@gmail.com --- arch/powerpc/kvm/powerpc.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c index 2f87a16..5962336 100644 --- a/arch/powerpc/kvm/powerpc.c +++ b/arch/powerpc/kvm/powerpc.c @@ -604,6 +604,8 @@ static int kvm_vm_ioctl_get_pvinfo(struct kvm_ppc_pvinfo *pvinfo) pvinfo-hcall[1] = inst_ori | (KVM_SC_MAGIC_R0 inst_imm_mask); pvinfo-hcall[2] = inst_sc; pvinfo-hcall[3] = inst_nop; + pvinfo-flags = 0; + memset(pvinfo-pad, 0, sizeof(pvinfo-pad)); return 0; } -- 1.7.0.4 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH] powerpc: sysdev: fix signedness bug
sram_params.sram_size and sram_params.sram_offset were unsigned.
If get_cache_sram_size() or get_cache_sram_offset() returns error code
then it is not seen to the caller. Made sram_size and sram_offset signed.
Signed-off-by: Vasiliy Kulikov sego...@gmail.com
---
arch/powerpc/sysdev/fsl_85xx_l2ctlr.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/sysdev/fsl_85xx_l2ctlr.c
b/arch/powerpc/sysdev/fsl_85xx_l2ctlr.c
index cc8d655..23b85ac 100644
--- a/arch/powerpc/sysdev/fsl_85xx_l2ctlr.c
+++ b/arch/powerpc/sysdev/fsl_85xx_l2ctlr.c
@@ -94,14 +94,14 @@ static int __devinit mpc85xx_l2ctlr_of_probe(struct
platform_device *dev,
l2cache_size = *prop;
sram_params.sram_size = get_cache_sram_size();
- if (sram_params.sram_size = 0) {
+ if ((int)sram_params.sram_size = 0) {
dev_err(dev-dev,
Entire L2 as cache, Aborting Cache-SRAM stuff\n);
return -EINVAL;
}
sram_params.sram_offset = get_cache_sram_offset();
- if (sram_params.sram_offset = 0) {
+ if ((int64_t)sram_params.sram_offset = 0) {
dev_err(dev-dev,
Entire L2 as cache, provide a valid sram offset\n);
return -EINVAL;
--
1.7.0.4
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH] char: hvc: check for error case
On Mon, Sep 13, 2010 at 09:12 -0400, Chris Metcalf wrote: Thanks, accepted into my tree (for the next merge window). In practice all this means is in debug mode we'll get a warning from do_one_initcall() rather than silence, but you're right, it's technically better. :-) Anyway it's better, if user sees warning in the dmesg, he/she might response to this situation. Best, -- Vasiliy ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH 1/7] drivers/macintosh/via-pmu-led.c: Add of_node_put to avoid memory leak
On Tue, Aug 31, 2010 at 18:08 +0200, Julia Lawall wrote:
On Tue, 31 Aug 2010, walter harms wrote:
Julia Lawall schrieb:
Add a call to of_node_put in the error handling code following a call to
of_find_node_by_path.
[...]
--- a/drivers/macintosh/via-pmu-led.c
+++ b/drivers/macintosh/via-pmu-led.c
@@ -92,8 +92,10 @@ static int __init via_pmu_led_init(void)
if (dt == NULL)
return -ENODEV;
model = of_get_property(dt, model, NULL);
- if (model == NULL)
+ if (model == NULL) {
+ of_node_put(dt);
return -ENODEV;
+ }
if (strncmp(model, PowerBook, strlen(PowerBook)) != 0
strncmp(model, iBook, strlen(iBook)) != 0
strcmp(model, PowerMac7,2) != 0
is there any rule that says when to use strncmp ? it seems perfecly valid
to use strcpy here
(what is done in the last cmp).
Perhaps there are some characters after eg PowerBook that one doesn't want
to compare with?
It seems to me that model has no '\0' in the end. If model is got from
the hardware then we should double check it - maybe harware is buggy.
Otherwise we'll overflow model.
But why strcmp(model, PowerMac7,2)? IMO it should be replaced
with strncmp().
--
Vasiliy
___
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH 2/7] usb: fsl_udc_core: check return value of create_proc_read_entry()
On Sat, Jul 31, 2010 at 21:17 +0200, Dan Carpenter wrote: On Sat, Jul 31, 2010 at 09:38:20PM +0400, Kulikov Vasiliy wrote: create_proc_read_entry() may fail, if so return -ENOMEM. It can fail, but also we return NULL if procfs is disabled. I haven't looked at it very carefully, would this patch break the module if procfs was disabled? Probably you are right, but many drivers in tree compare return value with NULL. Some of them interpret this as error, some of them simply call pr_warn(Hmm, I cannot create file in proc, strange...). Maybe there is more simplier way to check it without #ifdefs? The same applies to the similar patches in this set. regards, dan carpenter ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
