On Tue, Oct 11, 2016 at 02:52:28PM +0200, Vlad Tsyrklevich wrote:
> i2c_smbus_xfer() does not always fill an entire block, allowing
> kernel stack memory disclosure through the temp variable. Clear
> it before it's read to.
>
> Signed-off-by: Vlad Tsyrklevich <vlad@xxxxxxxxxxxxxxx>
Yes, thanks. But what about clearing 'temp' when it is declared? This
would be rock-solid for all future code paths.
>
> ---
> drivers/i2c/i2c-dev.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
> index 66f323f..62cb111 100644
> --- a/drivers/i2c/i2c-dev.c
> +++ b/drivers/i2c/i2c-dev.c
> @@ -393,6 +393,8 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
> (data_arg.read_write == I2C_SMBUS_WRITE)) {
> if (copy_from_user(&temp, data_arg.data, datasize))
> return -EFAULT;
> + } else {
> + memset(&temp, 0, datasize);
> }
> if (data_arg.size == I2C_SMBUS_I2C_BLOCK_BROKEN) {
> /* Convert old I2C block commands to the new
> --
> 2.7.0
>
Attachment:
signature.asc
Description: PGP signature
