s390/sclp_ctl: fix potential information leak with /dev/sclp
authorMartin Schwidefsky <schwidefsky@de.ibm.com>
Mon, 25 Apr 2016 15:54:28 +0000 (17:54 +0200)
committerMartin Schwidefsky <schwidefsky@de.ibm.com>
Wed, 27 Apr 2016 07:33:39 +0000 (09:33 +0200)
commit532c34b5fbf1687df63b3fcd5b2846312ac943c6
tree3bc98a98c96a419d250e46dc7b0426b73ed65d58
parent723cacbd9dc79582e562c123a0bacf8bfc69e72a
s390/sclp_ctl: fix potential information leak with /dev/sclp

The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
drivers/s390/char/sclp_ctl.c