[PATCH] Staging: bcm: Fix information leak in IOCTL_BCM_GET_DRIVER_VERSION

Dan Carpenter dan.carpenter at oracle.com
Wed Dec 14 06:06:46 UTC 2011


On Tue, Dec 13, 2011 at 07:27:32PM -0500, Kevin McKinney wrote:
> This ioctl, IOCTL_BCM_GET_DRIVER_VERSION, is
> responsible for sending the driver version
> to userspace. However, the requested size stored
> in IoBuffer.OutputLength may be incorrect.
> Therefore, we altered the code to send the
> exact length of the version, plus one for the
> null character.
> 
> Signed-off-by: Kevin McKinney <klmckinney1 at gmail.com>
> ---
>  drivers/staging/bcm/Bcmchar.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
> index c4d7a61..96945bb 100644
> --- a/drivers/staging/bcm/Bcmchar.c
> +++ b/drivers/staging/bcm/Bcmchar.c
> @@ -1003,7 +1003,7 @@ cntrlEnd:
>  		if (copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER)))
>  			return -EFAULT;
>  
> -		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, IoBuffer.OutputLength))
> +		if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, strlen(VER_FILEVERSION_STR)+1))

You should still take into consideration what the user passed as
IoBuffer.OutputLength.  Something like:

	len = min_t(ulong, IoBuffer.OutputLength, strlen(VER_FILEVERSION_STR) + 1);
	if (copy_to_user(IoBuffer.OutputBuffer, VER_FILEVERSION_STR, len);

regards,
dan carpenter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/attachments/20111214/13ec1e59/attachment.asc>


More information about the devel mailing list