diff options
author | sanghyun.eom <sanghyun.eom@samsung.com> | 2016-08-04 17:16:43 +0900 |
---|---|---|
committer | Sanghyun Eom <sanghyun.eom@samsung.com> | 2016-08-08 05:32:06 +0000 |
commit | 97857c67136d5f2148365c51f9f6678586c92443 (patch) | |
tree | 05e315e2ca6e775a401a6479b0468928b748c4d0 | |
parent | d550156beffdf4134760b689c291a56986993042 (diff) |
sched: Fix information leak in sys_sched_getattr()android-wear-6.0.1_r0.67
CVE-2014-9903
We're copying the on-stack structure to userspace, but forgot to give
the right number of bytes to copy. This allows the calling process to
obtain up to PAGE_SIZE bytes from the stack (and possibly adjacent
kernel memory).
This fix copies only as much as we actually have on the stack
(attr->size defaults to the size of the struct) and leaves the rest of
the userspace-provided buffer untouched.
Found using kmemcheck + trinity.
Signed-off-by: sanghyun.eom <sanghyun.eom@samsung.com>
-rw-r--r-- | kernel/sched/core.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/sched/core.c b/kernel/sched/core.c index c081954d9da2..4fe3b4a2a610 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -5250,7 +5250,7 @@ static int sched_read_attr(struct sched_attr __user *uattr, attr->size = usize; } - ret = copy_to_user(uattr, attr, usize); + ret = copy_to_user(uattr, attr, attr->size); if (ret) return -EFAULT; |