usb: misc: iowarrior: fix information leak to userland
authorVasiliy Kulikov <segooon@gmail.com>
Sat, 6 Nov 2010 14:41:31 +0000 (17:41 +0300)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 9 Dec 2010 21:33:05 +0000 (13:33 -0800)
commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.

Structure iowarrior_info is copied to userland with padding byted
between "serial" and "revision" fields uninitialized.  It leads to
leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/misc/iowarrior.c

index bc88c79875a146712cae5fcb7461325501f20ad7..0db05b252e3b259b829a8bd897a2028abb08e433 100644 (file)
@@ -553,6 +553,7 @@ static long iowarrior_ioctl(struct file *file, unsigned int cmd,
                        /* needed for power consumption */
                        struct usb_config_descriptor *cfg_descriptor = &dev->udev->actconfig->desc;
 
+                       memset(&info, 0, sizeof(info));
                        /* directly from the descriptor */
                        info.vendor = le16_to_cpu(dev->udev->descriptor.idVendor);
                        info.product = dev->product_id;