[thirdparty/kernel/stable-queue.git] / releases / 4.4.44 / i2c-fix-kernel-memory-disclosure-in-dev-interface.patch

From 30f939feaeee23e21391cfc7b484f012eb189c3c Mon Sep 17 00:00:00 2001
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Date: Mon, 9 Jan 2017 22:53:36 +0700
Subject: i2c: fix kernel memory disclosure in dev interface

From: Vlad Tsyrklevich <vlad@tsyrklevich.net>

commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream.

i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/i2c/i2c-dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -329,7 +329,7 @@ static noinline int i2cdev_ioctl_smbus(s
 		unsigned long arg)
 {
 	struct i2c_smbus_ioctl_data data_arg;
-	union i2c_smbus_data temp;
+	union i2c_smbus_data temp = {};
 	int datasize, res;
 
 	if (copy_from_user(&data_arg,
Commit	Line	Data
fb13cba2 GKH	1	From 30f939feaeee23e21391cfc7b484f012eb189c3c Mon Sep 17 00:00:00 2001
	2	From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
	3	Date: Mon, 9 Jan 2017 22:53:36 +0700
	4	Subject: i2c: fix kernel memory disclosure in dev interface
	5
	6	From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
	7
	8	commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream.
	9
	10	i2c_smbus_xfer() does not always fill an entire block, allowing
	11	kernel stack memory disclosure through the temp variable. Clear
	12	it before it's read to.
	13
	14	Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
	15	Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
	16	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	17
	18	---
	19	drivers/i2c/i2c-dev.c \| 2 +-
	20	1 file changed, 1 insertion(+), 1 deletion(-)
	21
	22	--- a/drivers/i2c/i2c-dev.c
	23	+++ b/drivers/i2c/i2c-dev.c
	24	@@ -329,7 +329,7 @@ static noinline int i2cdev_ioctl_smbus(s
	25	unsigned long arg)
	26	{
	27	struct i2c_smbus_ioctl_data data_arg;
	28	- union i2c_smbus_data temp;
	29	+ union i2c_smbus_data temp = {};
	30	int datasize, res;
	31
	32	if (copy_from_user(&data_arg,