[PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If copy_struct_from_user() fails at the start of the function then this
function calls put_user(rsp.length, &r->response.length) before
"rsp.length" is set to zero.  That is a potential security issue because
it discloses kernel stack data to user space.

Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
 drivers/platform/surface/surface_aggregator_cdev.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
index 340d15b148b9..05e9eb118d76 100644
--- a/drivers/platform/surface/surface_aggregator_cdev.c
+++ b/drivers/platform/surface/surface_aggregator_cdev.c
@@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
 	struct ssam_cdev_request __user *r;
 	struct ssam_cdev_request rqst;
 	struct ssam_request spec;
-	struct ssam_response rsp;
+	struct ssam_response rsp = {};
 	const void __user *plddata;
 	void __user *rspdata;
 	int status = 0, ret = 0, tmp;
@@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
 		spec.flags |= SSAM_REQUEST_UNSEQUENCED;
 
 	rsp.capacity = rqst.response.length;
-	rsp.length = 0;
-	rsp.pointer = NULL;
 
 	/* Get request payload from user-space. */
 	if (spec.length) {
-- 
2.29.2




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux