Stefan Richter wrote:
> This fix simply always null-initializes the entire ioctl argument buffer
> regardless of the actual length of expected user input. That is, a
> runtime overhead of memset(..., 40) is added to each firewirew-cdev
> ioctl() call.
This part of the stack is most likely to be a
Found by the UC-KLEE tool: A user could supply less input to
firewire-cdev ioctls than write- or write/read-type ioctl handlers
expect. The handlers used data from uninitialized kernel stack then.
This could partially leak back to the user if the kernel subsequently
generated fw_cdev_event_'s (t
2 matches
Mail list logo
