linux/drivers
Stefan Richter eaca2d8e75 firewire: cdev: prevent kernel stack leaking into ioctl arguments
Found by the UC-KLEE tool:  A user could supply less input to
firewire-cdev ioctls than write- or write/read-type ioctl handlers
expect.  The handlers used data from uninitialized kernel stack then.

This could partially leak back to the user if the kernel subsequently
generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
which notably would contain the _u64 closure field which many of the
ioctl argument structures contain.

The fact that the handlers would act on random garbage input is a
lesser issue since all handlers must check their input anyway.

The fix simply always null-initializes the entire ioctl argument buffer
regardless of the actual length of expected user input.  That is, a
runtime overhead of memset(..., 40) is added to each firewirew-cdev
ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
most likely to be already in the cache.]

Remarks:
  - There was never any leak from kernel stack to the ioctl output
    buffer itself.  IOW, it was not possible to read kernel stack by a
    read-type or write/read-type ioctl alone; the leak could at most
    happen in combination with read()ing subsequent event data.
  - The actual expected minimum user input of each ioctl from
    include/uapi/linux/firewire-cdev.h is, in bytes:
    [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
    [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
    [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
    [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
    [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.

Reported-by: David Ramos <daramos@stanford.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2014-11-14 12:10:13 +01:00
..
accessibility
acpi Merge branches 'acpi-scan' and 'acpi-ec' 2014-10-31 22:24:44 +01:00
amba PM / Domains: Move dev_pm_domain_attach|detach() to pm_domain.h 2014-09-30 01:16:44 +02:00
ata Merge branch 'for-linus' of git://git.infradead.org/users/vkoul/slave-dma 2014-10-18 18:11:04 -07:00
atm atm: simplify lanai.c by using module_pci_driver 2014-10-17 11:55:32 -04:00
auxdisplay
base tiny: rename ENABLE_DEV_COREDUMP to ALLOW_DEV_COREDUMP 2014-11-07 11:07:35 -08:00
bcma bcma: add another PCI ID of device with BCM43228 2014-10-23 14:02:06 -04:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2014-11-03 15:04:26 -08:00
bluetooth Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-10-13 11:28:42 +02:00
bus ARM: SoC driver updates for 3.18 2014-10-08 17:37:16 -04:00
cdrom
char Return short read or 0 at end of a raw device, not EIO 2014-10-31 06:33:26 -04:00
clk The clk tree changes for 3.18 are dominated by clock drivers. Mostly 2014-10-15 07:05:03 +02:00
clocksource ARM/ARM64: arch-timer: fix arch_timer_probed logic 2014-10-26 20:50:00 +01:00
connector
cpufreq cpufreq: cpufreq-dt: Restore default cpumask_setall(policy->cpus) 2014-10-27 23:27:35 +01:00
cpuidle Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2014-10-24 12:48:47 -07:00
crypto crypto: LLVMLinux: Remove VLAIS from crypto/.../qat_algs.c 2014-10-14 10:51:23 +02:00
dca
devfreq PM / devfreq: exynos: Enable building exynos PPMU as module 2014-09-29 20:22:36 +09:00
dio
dma dma: edma: move device registration to platform code 2014-11-05 18:26:10 -08:00
dma-buf dma-buf: don't open-code atomic_long_read() 2014-10-09 02:39:07 -04:00
edac e7xxx_edac: Report CE events properly 2014-10-22 22:59:00 +02:00
eisa
extcon
firewire firewire: cdev: prevent kernel stack leaking into ioctl arguments 2014-11-14 12:10:13 +01:00
firmware Merge branch 'x86-efi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-10-23 14:45:09 -07:00
fmc
gpio This is the bulk of GPIO changes for the v3.18 development 2014-10-09 14:58:15 -04:00
gpu drm/exynos: correct connector->dpms field before resuming 2014-11-03 01:51:28 +09:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2014-10-29 11:52:35 -07:00
hsi
hv
hwmon hwmon: (menf21bmc) Include linux/err.h 2014-10-19 18:41:18 -07:00
hwspinlock
i2c i2c: core: Dispose OF IRQ mapping at client removal time 2014-11-07 19:03:18 +01:00
ide Merge branch 'for-3.18/drivers' of git://git.kernel.dk/linux-block 2014-10-18 12:12:45 -07:00
idle
iio iio: as3935: allocate correct iio_device size 2014-11-05 18:33:46 +00:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-10-31 15:04:58 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2014-10-31 19:51:11 -07:00
iommu IOMMU Updates for Linux v3.18 2014-10-15 07:23:49 +02:00
ipack
irqchip irqchip: armada-370-xp: Fix MPIC interrupt handling 2014-11-02 01:31:10 +00:00
isdn isdn/gigaset: fix usb_gigaset write_cmd result race 2014-10-14 15:05:35 -04:00
leds Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds 2014-10-21 08:18:38 -07:00
lguest
macintosh
mailbox Merge branch 'mailbox-for-linus' of git://git.linaro.org/landing-teams/working/fujitsu/integration 2014-10-21 11:21:19 -07:00
mcb
md . fix DM's long-standing excessive use of memory by leveraging the new 2014-10-18 12:25:30 -07:00
media [media] sp2: sp2_init() can be static 2014-11-03 19:08:06 -02:00
memory
memstick memstick: r592: fix build warnings for !PM_SLEEP 2014-10-14 02:18:22 +02:00
message SCSI for-linus on 20141007 2014-10-07 21:29:18 -04:00
mfd Changes to existing drivers: 2014-10-15 06:58:16 +02:00
misc cxl: Fix PSL error due to duplicate segment table entries 2014-10-28 19:52:52 +11:00
mmc mmc: core: fix card detection regression 2014-11-05 09:28:48 +01:00
mtd Three main MTD fixes for 3.18: 2014-11-02 14:45:52 -08:00
net Merge tag 'master-2014-10-30' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-10-31 16:18:35 -04:00
nfc Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-10-07 14:48:29 -04:00
ntb ntb: Adding split BAR support for Haswell platforms 2014-10-17 07:08:51 -04:00
nubus
of of: Fix overflow bug in string property parsing functions 2014-11-04 10:19:48 +00:00
oprofile
parisc Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-10-13 16:23:15 +02:00
parport
pci PCI updates for v3.18: 2014-10-31 18:48:29 -07:00
pcmcia
phy phy: omap-usb2: Enable runtime PM of omap-usb2 phy properly 2014-11-05 14:34:06 -08:00
pinctrl pinctrl: baytrail: show output gpio state correctly on Intel Baytrail 2014-10-28 11:16:26 +01:00
platform quirk for Lenovo Yoga 3: no rfkill switch 2014-10-27 21:45:13 -07:00
pnp PNP: replace strnicmp with strncasecmp 2014-10-14 02:18:25 +02:00
power power: reset: at91-reset: fix power down register 2014-10-22 10:08:22 +02:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v3.18-rc1 2014-10-21 08:17:43 -07:00
rapidio
ras
regulator Merge remote-tracking branches 'regulator/fix/max1586', 'regulator/fix/max77686', 'regulator/fix/max77693', 'regulator/fix/max77802', 'regulator/fix/max8860' and 'regulator/fix/s2mpa01' into regulator-linus 2014-11-05 14:59:25 +00:00
remoteproc
reset
rpmsg
rtc drivers/rtc/rtc-bq32k.c: fix register value 2014-10-29 16:33:14 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2014-10-21 07:47:54 -07:00
sbus
scsi libcxgbi : support ipv6 address host_param 2014-10-28 09:57:00 +01:00
sfi
sh
sn
soc soc: versatile: Add terminating entry for realview_soc_of_match 2014-10-28 22:05:07 +01:00
spi Merge remote-tracking branches 'spi/fix/fsl-dspi' and 'spi/fix/pxa2xx' into spi-linus 2014-11-06 12:58:46 +00:00
spmi
ssb This is the bulk of GPIO changes for the v3.18 development 2014-10-09 14:58:15 -04:00
staging Second round of IIO fixes for the 3.18 cycle. 2014-11-05 11:30:45 -08:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2014-10-21 13:06:38 -07:00
tc
thermal Thermal:Remove usless if(!result) before return tz 2014-11-03 18:59:50 -04:00
thunderbolt
tty tty: Fix pty master poll() after slave closes v2 2014-11-06 12:23:36 -08:00
uio uio: Export definition of struct uio_device 2014-10-02 21:35:54 -07:00
usb USB: cdc-acm: add quirk for control-line state requests 2014-11-06 12:25:40 -08:00
uwb
vfio IOMMU Updates for Linux v3.18 2014-10-15 07:23:49 +02:00
vhost
video Merge branch '3.18/omapdss-fixes' into 3.18/fbdev-fixes 2014-10-30 14:53:49 +02:00
virt
virtio One cc: stable commit, the rest are a series of minor cleanups which have 2014-10-18 10:25:09 -07:00
vlynq
vme
w1
watchdog watchdog: meson: remove magic value for reboot 2014-10-20 21:09:17 +02:00
xen xen/pci: Allocate memory for physdev_pci_device_add's optarr 2014-10-23 16:24:02 +01:00
zorro
Kconfig
Makefile