]>
Commit | Line | Data |
---|---|---|
2bbc3dc8 GKH |
1 | From f0c2b68198589249afd2b1f2c4e8de8c03e19c16 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Stern <stern@rowland.harvard.edu> | |
3 | Date: Fri, 13 Feb 2015 10:54:53 -0500 | |
4 | Subject: USB: usbfs: don't leak kernel data in siginfo | |
5 | ||
6 | From: Alan Stern <stern@rowland.harvard.edu> | |
7 | ||
8 | commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream. | |
9 | ||
10 | When a signal is delivered, the information in the siginfo structure | |
11 | is copied to userspace. Good security practice dicatates that the | |
12 | unused fields in this structure should be initialized to 0 so that | |
13 | random kernel stack data isn't exposed to the user. This patch adds | |
14 | such an initialization to the two places where usbfs raises signals. | |
15 | ||
16 | Signed-off-by: Alan Stern <stern@rowland.harvard.edu> | |
17 | Reported-by: Dave Mielke <dave@mielke.cc> | |
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
19 | ||
20 | --- | |
21 | drivers/usb/core/devio.c | 2 ++ | |
22 | 1 file changed, 2 insertions(+) | |
23 | ||
24 | --- a/drivers/usb/core/devio.c | |
25 | +++ b/drivers/usb/core/devio.c | |
26 | @@ -501,6 +501,7 @@ static void async_completed(struct urb * | |
27 | as->status = urb->status; | |
28 | signr = as->signr; | |
29 | if (signr) { | |
30 | + memset(&sinfo, 0, sizeof(sinfo)); | |
31 | sinfo.si_signo = as->signr; | |
32 | sinfo.si_errno = as->status; | |
33 | sinfo.si_code = SI_ASYNCIO; | |
34 | @@ -2371,6 +2372,7 @@ static void usbdev_remove(struct usb_dev | |
35 | wake_up_all(&ps->wait); | |
36 | list_del_init(&ps->list); | |
37 | if (ps->discsignr) { | |
38 | + memset(&sinfo, 0, sizeof(sinfo)); | |
39 | sinfo.si_signo = ps->discsignr; | |
40 | sinfo.si_errno = EPIPE; | |
41 | sinfo.si_code = SI_ASYNCIO; |