On Sat, 6 Nov 2010, Vasiliy Kulikov wrote:
> Structure usbdevfs_connectinfo is copied to userland with padding byted
> after "slow" field uninitialized. It leads to leaking of contents of
> kernel stack memory.
>
> Signed-off-by: Vasiliy Kulikov <segooon@xxxxxxxxx>
> ---
> Compile tested.
>
> drivers/usb/core/devio.c | 7 ++++---
> 1 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index f1aaff6..045bb4b 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -965,10 +965,11 @@ static int proc_getdriver(struct dev_state *ps, void __user *arg)
>
> static int proc_connectinfo(struct dev_state *ps, void __user *arg)
> {
> - struct usbdevfs_connectinfo ci;
> + struct usbdevfs_connectinfo ci = {
> + .devnum = ps->dev->devnum,
> + .slow = ps->dev->speed == USB_SPEED_LOW
> + };
>
> - ci.devnum = ps->dev->devnum;
> - ci.slow = ps->dev->speed == USB_SPEED_LOW;
> if (copy_to_user(arg, &ci, sizeof(ci)))
> return -EFAULT;
> return 0;
Are you sure that adding an initializer like this will zero out the
padding bytes? It might be safer just to call memset. This is not
exactly a hot path, after all.
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
