[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / usb-misc-sisusbvga-fix-information-leak-to-userland.patch

From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001
From: Vasiliy Kulikov <segooon@gmail.com>
Date: Sat, 6 Nov 2010 17:41:35 +0300
Subject: usb: misc: sisusbvga: fix information leak to userland

From: Vasiliy Kulikov <segooon@gmail.com>

commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.

Structure sisusb_info is copied to userland with "sisusb_reserved" field
uninitialized.  It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/misc/sisusbvga/sisusb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3008,6 +3008,7 @@ sisusb_ioctl(struct file *file, unsigned
 #else
 			x.sisusb_conactive  = 0;
 #endif
+			memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved));
 
 			if (copy_to_user((void __user *)arg, &x, sizeof(x)))
 				retval = -EFAULT;
Commit	Line	Data
eaad4d6c GKH	1	From 5dc92cf1d0b4b0debbd2e333b83f9746c103533d Mon Sep 17 00:00:00 2001
	2	From: Vasiliy Kulikov <segooon@gmail.com>
	3	Date: Sat, 6 Nov 2010 17:41:35 +0300
	4	Subject: usb: misc: sisusbvga: fix information leak to userland
	5
	6	From: Vasiliy Kulikov <segooon@gmail.com>
	7
	8	commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.
	9
	10	Structure sisusb_info is copied to userland with "sisusb_reserved" field
	11	uninitialized. It leads to leaking of contents of kernel stack memory.
	12
	13	Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
	14	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	15
	16	---
	17	drivers/usb/misc/sisusbvga/sisusb.c \| 1 +
	18	1 file changed, 1 insertion(+)
	19
	20	--- a/drivers/usb/misc/sisusbvga/sisusb.c
	21	+++ b/drivers/usb/misc/sisusbvga/sisusb.c
	22	@@ -3008,6 +3008,7 @@ sisusb_ioctl(struct file *file, unsigned
	23	#else
	24	x.sisusb_conactive = 0;
	25	#endif
	26	+ memset(x.sisusb_reserved, 0, sizeof(x.sisusb_reserved));
	27
	28	if (copy_to_user((void __user *)arg, &x, sizeof(x)))
	29	retval = -EFAULT;