Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c
From: Greg KH
Date: Sat Mar 30 2019 - 03:14:20 EST
On Sat, Mar 30, 2019 at 03:05:11PM +0800, Fuqian Huang wrote:
> Hi, recently I found that there is a kernel address leaks to user
> space via copy_to_user in
> drivers/tty/rocket.c:1287 (linux-5.0.5)
> static int rp_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned
> long arg) {
> ...
> case RCKP_GET_STRUCT:
> if (copy_to_user(argp, info, sizeof(struct r_port))
> ...
> }
> The `info` is a struct r_port. and the field `r_port.port.ops` is an
> constant pointer,
> and it points to a constant object `rocket_port_ops` during the initialization.
> (function init_r_port) (drivers/tty/rocket.c:633)
>
> patch suggestion:
> set the pointer field to null before the copy to user call.
Great, can you send a patch to fix this so that you get the proper
credit for finding and resolving it?
thanks,
greg k-h