1. 26 Sep, 2011 1 commit
    • Dan Carpenter's avatar
      HID: hiddev: potential info leak in hiddev_ioctl() · 9561f7fa
      Dan Carpenter authored
      Smatch has a new check for Rosenberg type information leaks where
      structs are copied to the user with uninitialized stack data in them.
      
      In this case, the hiddev_devinfo struct has a two byte hole.
      
      struct hiddev_devinfo {
              __u32                      bustype;              /*     0     4 */
              __u32                      busnum;               /*     4     4 */
              __u32                      devnum;               /*     8     4 */
              __u32                      ifnum;                /*    12     4 */
              __s16                      vendor;               /*    16     2 */
              __s16                      product;              /*    18     2 */
              __s16                      version;              /*    20     2 */
      
              /* XXX 2 bytes hole, try to pack */
      
              __u32                      num_applications;     /*    24     4 */
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      9561f7fa
  2. 20 Sep, 2011 1 commit
    • James Hogan's avatar
      HID: hidraw: protect hidraw_disconnect() better · 65b01bd5
      James Hogan authored
      The function hidraw_disconnect() only acquires the hidraw minors_lock
      when clearing the entry in hidraw_table. However the device_destroy()
      call can cause a userland read/write to return with an error. It may
      cause the program to release the file descripter before the disconnect
      is finished. hidraw_disconnect() has already set hidraw->exist to 0,
      which makes hidraw_release() kfree the hidraw structure, which
      hidraw_disconnect() continues to access and even tries to kfree again.
      Similarly if a hidraw_release() occurs after setting hidraw->exist to 0,
      the same thing can happen.
      
      This is fixed by expanding the mutex critical section to cover the whole
      function from setting hidraw->exist to 0 to freeing the hidraw
      structure, preventing a hidraw_release() from interfering.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Tested-by: default avatarDavid Herrmann <dh.herrmann@googlemail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      65b01bd5
  3. 08 Sep, 2011 7 commits
  4. 07 Sep, 2011 11 commits
  5. 06 Sep, 2011 13 commits
  6. 05 Sep, 2011 5 commits
  7. 04 Sep, 2011 1 commit
  8. 02 Sep, 2011 1 commit