linux/drivers/s390/char
Martin Schwidefsky 532c34b5fb s390/sclp_ctl: fix potential information leak with /dev/sclp
The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2016-04-27 09:33:39 +02:00
..
con3215.c tty: Remove ASYNC_CLOSING 2016-01-28 14:19:12 -08:00
con3270.c s390/con3270: testing return kzalloc retval 2015-12-30 10:34:33 +01:00
ctrlchar.c s390/ctrlchar: improve handling of magic sysrequests 2015-08-26 17:20:44 +02:00
ctrlchar.h s390/ctrlchar: improve handling of magic sysrequests 2015-08-26 17:20:44 +02:00
defkeymap.c
defkeymap.map
diag_ftp.c s390/diag: add a statistic for diagnose calls 2015-10-14 14:32:06 +02:00
diag_ftp.h s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
fs3270.c s390/3270: fix missing device_destroy() call 2013-11-15 14:08:37 +01:00
hmcdrv_cache.c s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
hmcdrv_cache.h s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
hmcdrv_dev.c assorted conversions to %p[dD] 2014-11-19 13:01:20 -05:00
hmcdrv_dev.h s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
hmcdrv_ftp.c s390/hmcdrv: constify hmcdrv_ftp_ops structs 2015-12-30 10:34:25 +01:00
hmcdrv_ftp.h s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
hmcdrv_mod.c s390/hmcdrv: remove unnecessary version.h inclusion 2015-01-15 11:11:16 +01:00
Kconfig s390/sclp: add open for business support 2015-11-27 09:24:18 +01:00
keyboard.c s390/keyboard: avoid off-by-one when using strnlen_user() 2015-06-15 10:51:12 +02:00
keyboard.h TTY: switch tty_schedule_flip 2013-01-15 22:43:15 -08:00
Makefile s390/sclp_cpi: remove sclp_cpi module in favor of sysfs interface 2015-11-27 09:24:16 +01:00
monreader.c s390: Use pr_warn instead of pr_warning 2016-03-07 13:12:04 +01:00
monwriter.c s390: char: drop owner assignment from platform_drivers 2014-10-20 16:21:32 +02:00
raw3270.c s390/3270: correct size detection with the read-partition command 2014-07-16 10:48:10 +02:00
raw3270.h s390/con3270: optionally disable auto update 2014-03-26 10:55:33 +01:00
sclp_async.c s390/sclp_async: add Kconfig option to specify the component id 2014-11-28 09:45:11 +01:00
sclp_cmd.c s390: Use pr_warn instead of pr_warning 2016-03-07 13:12:04 +01:00
sclp_con.c s390/sclp: add parameter to specify number of buffer pages 2013-06-26 21:10:03 +02:00
sclp_config.c s390/sclp: add open for business support 2015-11-27 09:24:18 +01:00
sclp_cpi_sys.c s390: Use pr_warn instead of pr_warning 2016-03-07 13:12:04 +01:00
sclp_cpi_sys.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
sclp_ctl.c s390/sclp_ctl: fix potential information leak with /dev/sclp 2016-04-27 09:33:39 +02:00
sclp_diag.h s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
sclp_early.c KVM: s390: consider system MHA for guest storage 2015-12-15 17:08:22 +01:00
sclp_ftp.c s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
sclp_ftp.h s390/hmcdrv: HMC drive CD/DVD access 2014-09-25 10:52:02 +02:00
sclp_ocf.c s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
sclp_quiesce.c s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
sclp_rw.c s390/sclp: avoid merged message output 2015-10-14 14:32:10 +02:00
sclp_rw.h s390/sclp: avoid merged message output 2015-10-14 14:32:10 +02:00
sclp_sdias.c s390/sclp: pass timeout as HZ independent value 2015-06-15 10:50:57 +02:00
sclp_sdias.h s390/sclp: Move declarations for sclp_sdias into separate header file 2013-11-15 14:08:39 +01:00
sclp_tty.c s390/sclp: avoid merged message output 2015-10-14 14:32:10 +02:00
sclp_tty.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
sclp_vt220.c s390/sclp_vt220: support magic sysrequests 2015-08-26 17:20:45 +02:00
sclp.c s390/sclp: fix possible control register corruption 2016-01-11 13:03:00 +01:00
sclp.h s390/sclp: move sclp_facilities into "struct sclp" 2015-05-13 09:58:18 +02:00
tape_34xx.c s390/tape: remove redundant if statement 2015-01-22 12:51:49 +01:00
tape_3590.c treewide: fix typo in printk and Kconfig 2014-11-20 14:56:11 +01:00
tape_3590.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
tape_char.c s390/tape: fix MTIOCGET ioctl to report blocksize 2014-09-25 10:52:03 +02:00
tape_class.c s390/drivers: Cocci spatch "ptr_ret.spatch" 2013-06-26 21:10:22 +02:00
tape_class.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
tape_core.c s390: Use pr_warn instead of pr_warning 2016-03-07 13:12:04 +01:00
tape_proc.c s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
tape_std.c s390/tape: Add missing destroy_timer_on_stack() 2014-04-01 09:23:37 +02:00
tape_std.h s390/tape: remove even more tape block leftovers 2012-09-26 15:45:20 +02:00
tape.h s390/tape: remove even more tape block leftovers 2012-09-26 15:45:20 +02:00
tty3270.c s390/3270: redraw screen on unsolicited device end 2015-08-26 17:19:49 +02:00
tty3270.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
vmcp.c convert a bunch of open-coded instances of memdup_user_nul() 2016-01-04 10:26:58 -05:00
vmcp.h s390/comments: unify copyright messages and remove file names 2012-07-20 11:15:04 +02:00
vmlogrdr.c s390: Use pr_warn instead of pr_warning 2016-03-07 13:12:04 +01:00
vmur.c new helpers: no_seek_end_llseek{,_size}() 2015-12-23 10:41:31 -05:00
vmur.h
zcore.c new helpers: no_seek_end_llseek{,_size}() 2015-12-23 10:41:31 -05:00