[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / usb-misc-iowarrior-fix-information-leak-to-userland.patch

From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001
From: Vasiliy Kulikov <segooon@gmail.com>
Date: Sat, 6 Nov 2010 17:41:31 +0300
Subject: usb: misc: iowarrior: fix information leak to userland

From: Vasiliy Kulikov <segooon@gmail.com>

commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.

Structure iowarrior_info is copied to userland with padding byted
between "serial" and "revision" fields uninitialized.  It leads to
leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/misc/iowarrior.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -553,6 +553,7 @@ static long iowarrior_ioctl(struct file
 			/* needed for power consumption */
 			struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
 
+			memset(&info, 0, sizeof(info));
 			/* directly from the descriptor */
 			info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
 			info.product = dev->product_id;
Commit	Line	Data
eaad4d6c GKH	1	From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001
	2	From: Vasiliy Kulikov <segooon@gmail.com>
	3	Date: Sat, 6 Nov 2010 17:41:31 +0300
	4	Subject: usb: misc: iowarrior: fix information leak to userland
	5
	6	From: Vasiliy Kulikov <segooon@gmail.com>
	7
	8	commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.
	9
	10	Structure iowarrior_info is copied to userland with padding byted
	11	between "serial" and "revision" fields uninitialized. It leads to
	12	leaking of contents of kernel stack memory.
	13
	14	Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
	15	Acked-by: Kees Cook <kees.cook@canonical.com>
	16	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	17
	18	---
	19	drivers/usb/misc/iowarrior.c \| 1 +
	20	1 file changed, 1 insertion(+)
	21
	22	--- a/drivers/usb/misc/iowarrior.c
	23	+++ b/drivers/usb/misc/iowarrior.c
	24	@@ -553,6 +553,7 @@ static long iowarrior_ioctl(struct file
	25	/* needed for power consumption */
	26	struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
	27
	28	+ memset(&info, 0, sizeof(info));
	29	/* directly from the descriptor */
	30	info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
	31	info.product = dev->product_id;