[patch] staging: alarm-dev: information leak in alarm_compat_ioctl()
Arve Hjønnevåg
arve at android.com
Wed Jun 5 00:49:06 UTC 2013
On Tue, Jun 4, 2013 at 5:25 PM, John Stultz <john.stultz at linaro.org> wrote:
> On 06/04/2013 05:07 PM, Arve Hjønnevåg wrote:
>>
>> On Tue, Jun 4, 2013 at 6:13 AM, Dan Carpenter <dan.carpenter at oracle.com>
>> wrote:
>>>
>>> If we pass an invalid clock type then "ts" is never set. We need to
>>> check for errors earlier, otherwise we end up passing uninitialized
>>> stack data to userspace.
>>>
>>> Reported-by: John Stultz <john.stultz at linaro.org>
>>> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
>>>
>>> diff --git a/drivers/staging/android/alarm-dev.c
>>> b/drivers/staging/android/alarm-dev.c
>>> index c8600d9..6dc27da 100644
>>> --- a/drivers/staging/android/alarm-dev.c
>>> +++ b/drivers/staging/android/alarm-dev.c
>>> @@ -297,6 +297,8 @@ static long alarm_compat_ioctl(struct file *file,
>>> unsigned int cmd,
>>> }
>>>
>>> rv = alarm_do_ioctl(file, cmd, &ts);
>>> + if (rv)
>>> + return rv;
>>>
>>> switch (ANDROID_ALARM_BASE_CMD(cmd)) {
>>> case ANDROID_ALARM_GET_TIME(0): /* NOTE: we modified cmd above
>>> */
>>> @@ -305,7 +307,7 @@ static long alarm_compat_ioctl(struct file *file,
>>> unsigned int cmd,
>>> break;
>>> }
>>>
>>> - return rv;
>>> + return 0;
>>> }
>>> #endif
>>>
>> Is there a separate fix for alarm_ioctl? It seems to have the same
>> problem.
>
> Yea, I CC'ed the kernel-team alias yesterday on Dan's original fix for the
> alarm_ioctl, which Greg has already queued.
>
> This is just the follow-on fix to catch the same issue (as you also noted)
> in the compat_ioctl.
>
> thanks
> -john
>
Sorry, I missed that.
Acked-by: Arve Hjønnevåg <arve at android.com>
to both.
--
Arve Hjønnevåg
More information about the devel
mailing list