Commit b0e2796
Staging: unisys: verify that a control channel exists
The code didn't verify that a control channel exists before trying to
use it. It caused NULL ptr derefs which were easy to trigger by an
unpriviliged user simply by reading the proc file, causing:
[ 68.161404] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 68.162442] IP: visorchannel_read (drivers/staging/unisys/visorchannel/visorchannel_funcs.c:225)
[ 68.163165] PGD 5ca21067 PUD 5ca20067 PMD 0
[ 68.163712] Oops: 0000 [alexander-zimmermann#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 68.164390] Dumping ftrace buffer:
[ 68.164793] (ftrace buffer empty)
[ 68.165220] Modules linked in:
[ 68.165601] CPU: 0 PID: 7915 Comm: cat Tainted: G W 3.14.0-next-20140403-sasha-00012-gef5fa7d-dirty torvalds#373
[ 68.166821] task: ffff88006e8c3000 ti: ffff88005ca30000 task.ti: ffff88005ca30000
[ 68.167689] RIP: visorchannel_read (drivers/staging/unisys/visorchannel/visorchannel_funcs.c:225)
[ 68.168683] RSP: 0018:ffff88005ca31e58 EFLAGS: 00010282
[ 68.169302] RAX: ffff88005ca10000 RBX: ffff88005ca31e97 RCX: 0000000000000001
[ 68.170019] RDX: ffff88005ca31e97 RSI: 0000000000000bd6 RDI: 0000000000000000
[ 68.170019] RBP: ffff88005ca31e78 R08: 0000000000000000 R09: 0000000000000000
[ 68.170019] R10: ffff880000000000 R11: 0000000000000001 R12: 0000000000000001
[ 68.170019] R13: 0000000000000bd6 R14: 0000000000000000 R15: 0000000000008000
[ 68.170019] FS: 00007f0e8c041700(0000) GS:ffff88007be00000(0000) knlGS:0000000000000000
[ 68.170019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 68.170019] CR2: 0000000000000000 CR3: 000000006efe9000 CR4: 00000000000006b0
[ 68.170019] Stack:
[ 68.170019] ffff88005ca31f50 ffff88005ca10000 000000000060e000 ffff88005ca31f50
[ 68.170019] ffff88005ca31ec8 ffffffff83e6f983 ffff8800780db810 0000000000008000
[ 68.170019] ffff88005ca31ec8 ffff88006da5f908 ffff8800780db800 000000000060e000
[ 68.170019] Call Trace:
[ 68.170019] proc_read_toolaction (drivers/staging/unisys/visorchipset/visorchipset_main.c:2541)
[ 68.170019] proc_reg_read (fs/proc/inode.c:211)
[ 68.170019] vfs_read (fs/read_write.c:408)
[ 68.170019] SyS_read (fs/read_write.c:519 fs/read_write.c:511)
[ 68.170019] tracesys (arch/x86/kernel/entry_64.S:749)
[ 68.170019] Code: 00 00 66 66 66 66 90 55 48 89 e5 48 83 ec 20 48 89 5d e0 48 89 d3 4c 89 65 e8 49 89 cc 4c 89 6d f0 49 89 f5 4c 89 75 f8 49 89 fe <48> 8b 3f e8 4f f9 ff ff 85 c0 0f 88 97 00 00 00 4d 85 ed 0f 85
[ 68.170019] RIP visorchannel_read (drivers/staging/unisys/visorchannel/visorchannel_funcs.c:225)
[ 68.170019] RSP <ffff88005ca31e58>
[ 68.170019] CR2: 0000000000000000
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>1 parent 9c01e83 commit b0e2796
1 file changed
+18
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2414 | 2414 | | |
2415 | 2415 | | |
2416 | 2416 | | |
| 2417 | + | |
| 2418 | + | |
| 2419 | + | |
2417 | 2420 | | |
2418 | 2421 | | |
2419 | 2422 | | |
| |||
2463 | 2466 | | |
2464 | 2467 | | |
2465 | 2468 | | |
| 2469 | + | |
| 2470 | + | |
| 2471 | + | |
2466 | 2472 | | |
2467 | 2473 | | |
2468 | 2474 | | |
| |||
2524 | 2530 | | |
2525 | 2531 | | |
2526 | 2532 | | |
| 2533 | + | |
| 2534 | + | |
| 2535 | + | |
2527 | 2536 | | |
2528 | 2537 | | |
2529 | 2538 | | |
| |||
2562 | 2571 | | |
2563 | 2572 | | |
2564 | 2573 | | |
| 2574 | + | |
| 2575 | + | |
| 2576 | + | |
2565 | 2577 | | |
2566 | 2578 | | |
2567 | 2579 | | |
| |||
2601 | 2613 | | |
2602 | 2614 | | |
2603 | 2615 | | |
| 2616 | + | |
| 2617 | + | |
| 2618 | + | |
2604 | 2619 | | |
2605 | 2620 | | |
2606 | 2621 | | |
| |||
2639 | 2654 | | |
2640 | 2655 | | |
2641 | 2656 | | |
| 2657 | + | |
| 2658 | + | |
| 2659 | + | |
2642 | 2660 | | |
2643 | 2661 | | |
2644 | 2662 | | |
| |||
0 commit comments