From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Wed, 15 Sep 2010 11:43:28 +0000 (+0000)
Subject: drivers/net/usb/hso.c: prevent reading uninitialized memory
X-Git-Tag: firefly_0821_release~10186^2~913
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=adf62df3786df2525f0817c8847d609bf72113a3;p=firefly-linux-kernel-4.4.55.git

drivers/net/usb/hso.c: prevent reading uninitialized memory

commit 7011e660938fc44ed86319c18a5954e95a82ab3e upstream.

Fixed formatting (tabs and line breaks).

The TIOCGICOUNT device ioctl allows unprivileged users to read
uninitialized stack memory, because the "reserved" member of the
serial_icounter_struct struct declared on the stack in hso_get_count()
is not altered or zeroed before being copied back to the user.  This
patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 43bc3fcc0d85..f450bc9a89ac 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -1634,6 +1634,8 @@ static int hso_get_count(struct hso_serial *serial,
 	struct uart_icount cnow;
 	struct hso_tiocmget  *tiocmget = serial->tiocmget;
 
+	memset(&icount, 0, sizeof(struct serial_icounter_struct));
+
 	if (!tiocmget)
 		 return -ENOENT;
 	spin_lock_irq(&serial->serial_lock);