diff options
author | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2016-04-25 18:54:28 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-09-15 09:27:51 +0300 |
commit | 2d29d6cec3bc5473efdad3b143404d9e32817c86 (patch) | |
tree | efd22118f3fcab3b560f1d46fc080722cdeb8056 /drivers/gpu/drm | |
parent | ffd5ce2ad5fd140ddd492ab2064e29e86aaa64ea (diff) | |
download | linux-2d29d6cec3bc5473efdad3b143404d9e32817c86.tar.xz |
s390/sclp_ctl: fix potential information leak with /dev/sclp
commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.
The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/gpu/drm')
0 files changed, 0 insertions, 0 deletions