Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c

From: Greg KH
Date: Sat Mar 30 2019 - 03:14:20 EST

Next message: Dan Carpenter: "Re: [PATCH] net/bluetooth: Fix bound check in event handling"
Previous message: Greg KH: "Re: linux-next: Fixes tag needs some work in the tty.current tree"
In reply to: Fuqian Huang: "a kernel address leak via copy_to_user in drivers/tty/rocket.c"
Next in thread: Fuqian Huang: "Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Mar 30, 2019 at 03:05:11PM +0800, Fuqian Huang wrote:
> Hi, recently I found that there is a kernel address leaks to user
> space via copy_to_user in
> drivers/tty/rocket.c:1287 (linux-5.0.5)
> static int rp_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned
> long arg) {
> ...
> case RCKP_GET_STRUCT:
> if (copy_to_user(argp, info, sizeof(struct r_port))
> ...
> }
> The `info` is a struct r_port. and the field `r_port.port.ops` is an
> constant pointer,
> and it points to a constant object `rocket_port_ops` during the initialization.
> (function init_r_port) (drivers/tty/rocket.c:633)
>
> patch suggestion:
> set the pointer field to null before the copy to user call.

Great, can you send a patch to fix this so that you get the proper
credit for finding and resolving it?

thanks,

greg k-h

Next message: Dan Carpenter: "Re: [PATCH] net/bluetooth: Fix bound check in event handling"
Previous message: Greg KH: "Re: linux-next: Fixes tag needs some work in the tty.current tree"
In reply to: Fuqian Huang: "a kernel address leak via copy_to_user in drivers/tty/rocket.c"
Next in thread: Fuqian Huang: "Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]