projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 2bbc3dc8 GKH |
1 | From f0c2b68198589249afd2b1f2c4e8de8c03e19c16 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Stern <stern@rowland.harvard.edu> | |
| 3 | Date: Fri, 13 Feb 2015 10:54:53 -0500 | |
| 4 | Subject: USB: usbfs: don't leak kernel data in siginfo | |
| 5 | ||
| 6 | From: Alan Stern <stern@rowland.harvard.edu> | |
| 7 | ||
| 8 | commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream. | |
| 9 | ||
| 10 | When a signal is delivered, the information in the siginfo structure | |
| 11 | is copied to userspace. Good security practice dicatates that the | |
| 12 | unused fields in this structure should be initialized to 0 so that | |
| 13 | random kernel stack data isn't exposed to the user. This patch adds | |
| 14 | such an initialization to the two places where usbfs raises signals. | |
| 15 | ||
| 16 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | |
| 17 | Reported-by: Dave Mielke <dave@mielke.cc> | |
| 18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 19 | ||
| 20 | --- | |
| 21 | drivers/usb/core/devio.c | 2 ++ | |
| 22 | 1 file changed, 2 insertions(+) | |
| 23 | ||
| 24 | --- a/drivers/usb/core/devio.c | |
| 25 | +++ b/drivers/usb/core/devio.c | |
| 26 | @@ -501,6 +501,7 @@ static void async_completed(struct urb * | |
| 27 | as->status = urb->status; | |
| 28 | signr = as->signr; | |
| 29 | if (signr) { | |
| 30 | + memset(&sinfo, 0, sizeof(sinfo)); | |
| 31 | sinfo.si_signo = as->signr; | |
| 32 | sinfo.si_errno = as->status; | |
| 33 | sinfo.si_code = SI_ASYNCIO; | |
| 34 | @@ -2371,6 +2372,7 @@ static void usbdev_remove(struct usb_dev | |
| 35 | wake_up_all(&ps->wait); | |
| 36 | list_del_init(&ps->list); | |
| 37 | if (ps->discsignr) { | |
| 38 | + memset(&sinfo, 0, sizeof(sinfo)); | |
| 39 | sinfo.si_signo = ps->discsignr; | |
| 40 | sinfo.si_errno = EPIPE; | |
| 41 | sinfo.si_code = SI_ASYNCIO; |