scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to
userspace due to the compiler not initializing holes in statically
allocated structures. Fix it by initializing `cgc32` using memset().
Cc: stable@xxxxxxxxxxxxxxx
Fixes: f3ee6e63a9df ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi")
Suggested-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Suggested-by: Arnd Bergmann <arnd@xxxxxxxx>
Signed-off-by: Peilin Ye <yepeilin.cs@xxxxxxxxx>
---
block/scsi_ioctl.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index ef722f04f88a..1b7f85634751 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -692,16 +692,19 @@ static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc,
{
#ifdef CONFIG_COMPAT
if (in_compat_syscall()) {
- struct compat_cdrom_generic_command cgc32 = {
- .buffer = (uintptr_t)(cgc->buffer),
- .buflen = cgc->buflen,
- .stat = cgc->stat,
- .sense = (uintptr_t)(cgc->sense),
- .data_direction = cgc->data_direction,
- .quiet = cgc->quiet,
- .timeout = cgc->timeout,
- .reserved[0] = (uintptr_t)(cgc->reserved[0]),
- };
+ struct compat_cdrom_generic_command cgc32;
+
+ memset(&cgc32, 0, sizeof(cgc32));
+
+ cgc32.buffer = (uintptr_t)(cgc->buffer);
+ cgc32.buflen = cgc->buflen;
+ cgc32.stat = cgc->stat;
+ cgc32.sense = (uintptr_t)(cgc->sense);
+ cgc32.data_direction = cgc->data_direction;
+ cgc32.quiet = cgc->quiet;
+ cgc32.timeout = cgc->timeout;
+ cgc32.reserved[0] = (uintptr_t)(cgc->reserved[0]);
+
memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE);
if (copy_to_user(arg, &cgc32, sizeof(cgc32)))
--
2.25.1
