[dm-devel] [PATCH] dm ioctl: prevent stack leak in dm ioctl call
Alasdair G Kergon
agk at redhat.com
Wed Apr 26 01:06:09 UTC 2017
On Tue, Apr 25, 2017 at 05:57:41PM -0700, Adrian Salido wrote:
> 1. param_kernel is allocated from stack and passed to copy_params
> 2. copy_params only copies up to param_kernel->data from user
> (param_kernel->data still contains stack contents)
> 3. in copy_params, since there are no params it will skip through and
> return param = dmi = param_kernel
after setting
dmi->data_size = minimum_data_size;
and then
input_param_size = param->data_size;
> 4. that stale data is copied back to user
because it is incorrectly extending the buffer?
param->data_size = sizeof(*param);
instead of continuing to use input_param_size?
Alasdair
More information about the dm-devel
mailing list