[patch] staging: alarm-dev: information leak in alarm_compat_ioctl()

Arve Hjønnevåg arve at android.com
Wed Jun 5 00:49:06 UTC 2013


On Tue, Jun 4, 2013 at 5:25 PM, John Stultz <john.stultz at linaro.org> wrote:
> On 06/04/2013 05:07 PM, Arve Hjønnevåg wrote:
>>
>> On Tue, Jun 4, 2013 at 6:13 AM, Dan Carpenter <dan.carpenter at oracle.com>
>> wrote:
>>>
>>> If we pass an invalid clock type then "ts" is never set.  We need to
>>> check for errors earlier, otherwise we end up passing uninitialized
>>> stack data to userspace.
>>>
>>> Reported-by: John Stultz <john.stultz at linaro.org>
>>> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
>>>
>>> diff --git a/drivers/staging/android/alarm-dev.c
>>> b/drivers/staging/android/alarm-dev.c
>>> index c8600d9..6dc27da 100644
>>> --- a/drivers/staging/android/alarm-dev.c
>>> +++ b/drivers/staging/android/alarm-dev.c
>>> @@ -297,6 +297,8 @@ static long alarm_compat_ioctl(struct file *file,
>>> unsigned int cmd,
>>>          }
>>>
>>>          rv = alarm_do_ioctl(file, cmd, &ts);
>>> +       if (rv)
>>> +               return rv;
>>>
>>>          switch (ANDROID_ALARM_BASE_CMD(cmd)) {
>>>          case ANDROID_ALARM_GET_TIME(0): /* NOTE: we modified cmd above
>>> */
>>> @@ -305,7 +307,7 @@ static long alarm_compat_ioctl(struct file *file,
>>> unsigned int cmd,
>>>                  break;
>>>          }
>>>
>>> -       return rv;
>>> +       return 0;
>>>   }
>>>   #endif
>>>
>> Is there a separate fix for alarm_ioctl? It seems to have the same
>> problem.
>
> Yea, I CC'ed the kernel-team alias yesterday on Dan's original fix for the
> alarm_ioctl, which Greg has already queued.
>
> This is just the follow-on fix to catch the same issue (as you also noted)
> in the compat_ioctl.
>
> thanks
> -john
>

Sorry, I missed that.

Acked-by: Arve Hjønnevåg <arve at android.com>

to both.

--
Arve Hjønnevåg



More information about the devel mailing list