• Stefan Richter's avatar
    firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel) · 790198f7
    Stefan Richter authored
    Fix two bugs of the /dev/fw* character device concerning the
    FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
    (Practically all /dev/fw* clients issue this ioctl right after opening
    the device.)
    
    Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
    without natural alignment and 40 with natural alignment.
    
     1) Memory corruption, affecting i386 userland on amd64 kernel:
        Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
        This has been first found and reported against libraw1394 if
        compiled with gcc 4.7 which happens to order libraw1394's stack such
        that the bug became visible as data corruption.
    
     2) Information leak, affecting all kernel architectures except i386:
        4 bytes of random kernel stack data were leaked to userspace.
    
    Hence limit the respective copy_to_user() to the 32-bit aligned size of
    struct fw_cdev_event_bus_reset.
    Reported-by: default avatarSimon Kirby <sim@hostway.ca>
    Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
    Cc: stable@kernel.org
    790198f7
core-cdev.c 46.5 KB