Re: [PATCH v2] HID: uhid: fix leak for 64/32 UHID_CREATE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-11-26 at 13:58 +0100, David Herrmann wrote:
> UHID allows short writes so user-space can omit unused fields. We
> automatically set them to 0 in the kernel. However, the 64/32 bit
> compat-handler didn't do that in the UHID_CREATE fallback. This will
> reveal random kernel heap data (of random size, even) to user-space.
> 
> Reported-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx

Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')

(that should make it clear which versions need the fix)

> ---
>  drivers/hid/uhid.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
> index 93b00d7..cedc6da 100644
> --- a/drivers/hid/uhid.c
> +++ b/drivers/hid/uhid.c
> @@ -287,7 +287,7 @@ static int uhid_event_from_user(const char __user *buffer, size_t len,
>  			 */
>  			struct uhid_create_req_compat *compat;
>  
> -			compat = kmalloc(sizeof(*compat), GFP_KERNEL);
> +			compat = kzalloc(sizeof(*compat), GFP_KERNEL);
>  			if (!compat)
>  				return -ENOMEM;
>  

-- 
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
                      - Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]