On 09/03/15 20:08, Matteo Semenzato wrote:
From: Matteo Semenzato <mattew8898@xxxxxxxxx> The comedi_cmd struct has an hole after chanlist_len that could contain uninitialized memory, this struct is copied to userspace. Signed-off-by: Matteo Semenato <mattew8898@xxxxxxxxx> --- drivers/staging/comedi/comedi_fops.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 727640e..1cdf0a2 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -1718,6 +1718,8 @@ static int do_cmdtest_ioctl(struct comedi_device *dev, unsigned int __user *user_chanlist; int ret; + memset(&cmd, 0, sizeof(cmd)); + /* get the user's cmd and do some simple validation */ ret = __comedi_get_user_cmd(dev, arg, &cmd); if (ret)
I see no information leak there. The cmd variable gets copied over with user memory by the call to __comedi_get_user_cmd(), so zero-filling it first is rather pointless.
-- -=( Ian Abbott @ MEV Ltd. E-mail: <abbotti@xxxxxxxxx> )=- -=( Web: http://www.mev.co.uk/ )=- _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
