linux/include
Vegard Nossum 1147c9cdd0 drm: fix leak of uninitialized data to userspace
...so drm_getunique() is trying to copy some uninitialized data to
userspace. The ECX register contains the number of words that are
left to copy -- so there are 5 * 4 = 20 bytes left. The offset of the
first uninitialized byte (counting from the start of the string) is
also 20 (i.e. 0xf65d2294&((1 << 5)-1) == 20). So somebody tried to
copy 40 bytes when the string was only 19 long.

In drm_set_busid() we have this code:

        dev->unique_len = 40;
        dev->unique = drm_alloc(dev->unique_len + 1, DRM_MEM_DRIVER);
      ...
        len = snprintf(dev->unique, dev->unique_len, pci:%04x:%02x:%02x.%d",

...so it seems that dev->unique is never updated to reflect the
actual length of the string. The remaining bytes (20 in this case)
are random uninitialized bytes that are copied into userspace.

This patch fixes the problem by setting dev->unique_len after the
snprintf().

airlied- I've had to fix this up to store the alloced size so
we have it for drm_free later.

Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Vegard Nossum <vegardno@thuin.ifi.uio.no>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2008-12-29 17:47:22 +10:00
..
acpi ACPI: don't cond_resched() when irqs_disabled() 2008-12-19 04:38:33 -05:00
asm-arm
asm-frv ide: fix support for IDE PCI controllers using MMIO on frv 2008-10-17 18:09:14 +02:00
asm-generic atomic: fix a typo in atomic_long_xchg() 2008-12-10 08:01:53 -08:00
asm-h8300 h8300: update timer handler - new files 2008-10-16 11:21:29 -07:00
asm-m32r [PATCH] remove unused ibcs2/PER_SVR4 in SET_PERSONALITY 2008-10-16 15:40:05 +02:00
asm-m68k proc: move /proc/hardware to m68k-specific code 2008-10-23 14:24:03 +04:00
asm-mn10300 MN10300: Fix __put_user_asm8() 2008-12-10 13:34:33 -08:00
asm-xtensa Merge git://git.kernel.org/pub/scm/linux/kernel/git/czankel/xtensa-2.6 2008-10-23 09:16:56 -07:00
crypto
drm drm: fix leak of uninitialized data to userspace 2008-12-29 17:47:22 +10:00
keys
linux Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-12-18 12:00:46 -08:00
math-emu math-emu: Fix thinko in _FP_DIV 2008-10-22 22:09:59 -07:00
media V4L/DVB (9335): videobuf: split unregister bus creating self-contained frontend de-allocator 2008-10-21 14:32:08 -02:00
mtd
net irda: Add irda_skb_cb qdisc related padding 2008-12-17 15:44:58 -08:00
pcmcia
rdma
rxrpc
scsi [SCSI] fc_transport: fix old bug on bitflag definitions 2008-11-21 17:30:53 +09:00
sound Merge branches 'topic/fix/misc' and 'topic/fix/hda' into for-linus 2008-11-10 17:58:46 +01:00
trace sched: clean up tracepoints 2008-10-14 10:33:14 +02:00
video Revert "radeonfb: accelerate imageblit and other improvements" 2008-12-10 16:53:32 -08:00
xen
Kbuild