diff options
| author | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2016-04-25 17:54:28 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2016-08-22 22:38:28 +0100 |
| commit | 8229d94adedd2cad31fee2e90b1becb2fdc09b9d (patch) | |
| tree | 22ca600ebf635d2b6d1bc4fe2f00c6c1733d4a2e /include/linux/genalloc.h | |
| parent | 81bba9ff4d40b43b0ff92c0d6a9852aadf333ce3 (diff) | |
s390/sclp_ctl: fix potential information leak with /dev/sclp
commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.
The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include/linux/genalloc.h')
0 files changed, 0 insertions, 0 deletions