Commit 5e22002a authored by Kees Cook's avatar Kees Cook Committed by David S. Miller

isdn: Disable IIOCDBGVAR

It was possible to directly leak the kernel address where the isdn_dev
structure pointer was stored. This is a kernel ASLR bypass for anyone
with access to the ioctl. The code had been present since the beginning
of git history, though this shouldn't ever be needed for normal operation,
therefore remove it.
Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 45316818
...@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg) ...@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
} else } else
return -EINVAL; return -EINVAL;
case IIOCDBGVAR: case IIOCDBGVAR:
if (arg) { return -EINVAL;
if (copy_to_user(argp, &dev, sizeof(ulong)))
return -EFAULT;
return 0;
} else
return -EINVAL;
break;
default: default:
if ((cmd & IIOCDRVCTL) == IIOCDRVCTL) if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK; cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment