git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Martin Schwidefsky <schwidefsky@de.ibm.com>
	Mon, 25 Apr 2016 15:54:28 +0000 (17:54 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 11 Sep 2016 07:59:58 +0000 (09:59 +0200)
commit	78a4260f1fad5cfc6ad7cf6e01a93a2fed0d0e3e
tree	2d838c1da9ce2a187b53a069d01c33236bef8e7f	tree
parent	d57906c6850c5bb9a93841da3deb6df53135d133	commit \| diff

s390/sclp_ctl: fix potential information leak with /dev/sclp

commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.

The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>