sched: Fix information leak in sys_sched_getattr()android-wear-6.0.1_r0.67

CVE-2014-9903 We're copying the on-stack structure to userspace, but forgot to give the right number of bytes to copy. This allows the calling process to obtain up to PAGE_SIZE bytes from the stack (and possibly adjacent kernel memory). This fix copies only as much as we actually have on the stack (attr->size defaults to the size of the struct) and leaves the rest of the userspace-provided buffer untouched. Found using kmemcheck + trinity. Signed-off-by: sanghyun.eom <sanghyun.eom@samsung.com>
author: sanghyun.eom <sanghyun.eom@samsung.com> 2016-08-04 17:16:43 +0900
committer: Sanghyun Eom <sanghyun.eom@samsung.com> 2016-08-08 05:32:06 +0000
commit: 97857c67136d5f2148365c51f9f6678586c92443 (patch)
tree: 05e315e2ca6e775a401a6479b0468928b748c4d0
parent: d550156beffdf4134760b689c291a56986993042 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index c081954d9da2..4fe3b4a2a610 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5250,7 +5250,7 @@ static int sched_read_attr(struct sched_attr __user *uattr,
 		attr->size = usize;
 	}
 
-	ret = copy_to_user(uattr, attr, usize);
+	ret = copy_to_user(uattr, attr, attr->size);
 	if (ret)
 		return -EFAULT;
author	sanghyun.eom <sanghyun.eom@samsung.com>	2016-08-04 17:16:43 +0900
committer	Sanghyun Eom <sanghyun.eom@samsung.com>	2016-08-08 05:32:06 +0000
commit	97857c67136d5f2148365c51f9f6678586c92443 (patch)
tree	05e315e2ca6e775a401a6479b0468928b748c4d0
parent	d550156beffdf4134760b689c291a56986993042 (diff)