s390/sclp_ctl: fix potential information leak with /dev/sclp - BMC/Intel-BMC/linux.git - Intel OpenBMC Linux kernel source tree (mirror)

diff options

author	Martin Schwidefsky <schwidefsky@de.ibm.com>	2016-04-25 18:54:28 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2016-09-15 09:27:51 +0300
commit	2d29d6cec3bc5473efdad3b143404d9e32817c86 (patch)
tree	efd22118f3fcab3b560f1d46fc080722cdeb8056 /drivers/gpu/drm
parent	ffd5ce2ad5fd140ddd492ab2064e29e86aaa64ea (diff)
download	linux-2d29d6cec3bc5473efdad3b143404d9e32817c86.tar.xz

s390/sclp_ctl: fix potential information leak with /dev/sclp

commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream. The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to retrieve the sclp request from user space. The first copy_from_user fetches the length of the request which is stored in the first two bytes of the request. The second copy_from_user gets the complete sclp request, but this copies the length field a second time. A malicious user may have changed the length in the meantime. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'drivers/gpu/drm')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: