On Tue, 2013-11-26 at 13:58 +0100, David Herrmann wrote:
> UHID allows short writes so user-space can omit unused fields. We
> automatically set them to 0 in the kernel. However, the 64/32 bit
> compat-handler didn't do that in the UHID_CREATE fallback. This will
> reveal random kernel heap data (of random size, even) to user-space.
>
> Reported-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems')
(that should make it clear which versions need the fix)
> ---
> drivers/hid/uhid.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
> index 93b00d7..cedc6da 100644
> --- a/drivers/hid/uhid.c
> +++ b/drivers/hid/uhid.c
> @@ -287,7 +287,7 @@ static int uhid_event_from_user(const char __user *buffer, size_t len,
> */
> struct uhid_create_req_compat *compat;
>
> - compat = kmalloc(sizeof(*compat), GFP_KERNEL);
> + compat = kzalloc(sizeof(*compat), GFP_KERNEL);
> if (!compat)
> return -ENOMEM;
>
--
Ben Hutchings
Usenet is essentially a HUGE group of people passing notes in class.
- Rachel Kadel, `A Quick Guide to Newsgroup Etiquette'
Attachment:
signature.asc
Description: This is a digitally signed message part