]>
Commit | Line | Data |
---|---|---|
eaad4d6c GKH |
1 | From eca67aaeebd6e5d22b0d991af1dd0424dc703bfb Mon Sep 17 00:00:00 2001 |
2 | From: Vasiliy Kulikov <segooon@gmail.com> | |
3 | Date: Sat, 6 Nov 2010 17:41:31 +0300 | |
4 | Subject: usb: misc: iowarrior: fix information leak to userland | |
5 | ||
6 | From: Vasiliy Kulikov <segooon@gmail.com> | |
7 | ||
8 | commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream. | |
9 | ||
10 | Structure iowarrior_info is copied to userland with padding byted | |
11 | between "serial" and "revision" fields uninitialized. It leads to | |
12 | leaking of contents of kernel stack memory. | |
13 | ||
14 | Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> | |
15 | Acked-by: Kees Cook <kees.cook@canonical.com> | |
16 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
17 | ||
18 | --- | |
19 | drivers/usb/misc/iowarrior.c | 1 + | |
20 | 1 file changed, 1 insertion(+) | |
21 | ||
22 | --- a/drivers/usb/misc/iowarrior.c | |
23 | +++ b/drivers/usb/misc/iowarrior.c | |
24 | @@ -553,6 +553,7 @@ static long iowarrior_ioctl(struct file | |
25 | /* needed for power consumption */ | |
26 | struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc; | |
27 | ||
28 | + memset(&info, 0, sizeof(info)); | |
29 | /* directly from the descriptor */ | |
30 | info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor); | |
31 | info.product = dev->product_id; |