| From 154ad2ac6bd91006f9b3168b2d892060e3a5e467 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Thu, 25 Oct 2012 13:38:16 -0700 |
| Subject: [PATCH] fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check |
| |
| commit 12176503366885edd542389eed3aaf94be163fdb upstream. |
| |
| The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check |
| while converting ioctl arguments. This could lead to leaking kernel |
| stack contents into userspace. |
| |
| Patch extracted from existing fix in grsecurity. |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Cc: David Miller <davem@davemloft.net> |
| Cc: Brad Spengler <spender@grsecurity.net> |
| Cc: PaX Team <pageexec@freemail.hu> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| fs/compat_ioctl.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c |
| index 641640dc7ae5..7a00d9b155bf 100644 |
| --- a/fs/compat_ioctl.c |
| +++ b/fs/compat_ioctl.c |
| @@ -227,6 +227,8 @@ static int do_video_set_spu_palette(unsigned int fd, unsigned int cmd, |
| |
| err = get_user(palp, &up->palette); |
| err |= get_user(length, &up->length); |
| + if (err) |
| + return -EFAULT; |
| |
| up_native = compat_alloc_user_space(sizeof(struct video_spu_palette)); |
| err = put_user(compat_ptr(palp), &up_native->palette); |
| -- |
| 1.8.5.2 |
| |