mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-27 03:47:43 +00:00
532c34b5fb
The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to retrieve the sclp request from user space. The first copy_from_user fetches the length of the request which is stored in the first two bytes of the request. The second copy_from_user gets the complete sclp request, but this copies the length field a second time. A malicious user may have changed the length in the meantime. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> |
||
|---|---|---|
| .. | ||
| con3215.c | ||
| con3270.c | ||
| ctrlchar.c | ||
| ctrlchar.h | ||
| defkeymap.c | ||
| defkeymap.map | ||
| diag_ftp.c | ||
| diag_ftp.h | ||
| fs3270.c | ||
| hmcdrv_cache.c | ||
| hmcdrv_cache.h | ||
| hmcdrv_dev.c | ||
| hmcdrv_dev.h | ||
| hmcdrv_ftp.c | ||
| hmcdrv_ftp.h | ||
| hmcdrv_mod.c | ||
| Kconfig | ||
| keyboard.c | ||
| keyboard.h | ||
| Makefile | ||
| monreader.c | ||
| monwriter.c | ||
| raw3270.c | ||
| raw3270.h | ||
| sclp_async.c | ||
| sclp_cmd.c | ||
| sclp_con.c | ||
| sclp_config.c | ||
| sclp_cpi_sys.c | ||
| sclp_cpi_sys.h | ||
| sclp_ctl.c | ||
| sclp_diag.h | ||
| sclp_early.c | ||
| sclp_ftp.c | ||
| sclp_ftp.h | ||
| sclp_ocf.c | ||
| sclp_quiesce.c | ||
| sclp_rw.c | ||
| sclp_rw.h | ||
| sclp_sdias.c | ||
| sclp_sdias.h | ||
| sclp_tty.c | ||
| sclp_tty.h | ||
| sclp_vt220.c | ||
| sclp.c | ||
| sclp.h | ||
| tape_34xx.c | ||
| tape_3590.c | ||
| tape_3590.h | ||
| tape_char.c | ||
| tape_class.c | ||
| tape_class.h | ||
| tape_core.c | ||
| tape_proc.c | ||
| tape_std.c | ||
| tape_std.h | ||
| tape.h | ||
| tty3270.c | ||
| tty3270.h | ||
| vmcp.c | ||
| vmcp.h | ||
| vmlogrdr.c | ||
| vmur.c | ||
| vmur.h | ||
| zcore.c | ||