s390/sclp_ctl: fix potential information leak with /dev/sclp - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Martin Schwidefsky <schwidefsky@de.ibm.com>	2016-04-25 17:54:28 +0200
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2016-04-27 09:33:39 +0200
commit	532c34b5fbf1687df63b3fcd5b2846312ac943c6 (patch)
tree	3bc98a98c96a419d250e46dc7b0426b73ed65d58 /arch
parent	723cacbd9dc79582e562c123a0bacf8bfc69e72a (diff)
download	linux-532c34b5fbf1687df63b3fcd5b2846312ac943c6.tar.bz2

s390/sclp_ctl: fix potential information leak with /dev/sclp

The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to retrieve the sclp request from user space. The first copy_from_user fetches the length of the request which is stored in the first two bytes of the request. The second copy_from_user gets the complete sclp request, but this copies the length field a second time. A malicious user may have changed the length in the meantime. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

Diffstat (limited to 'arch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: