mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-14 12:37:32 +00:00
USB: usbfs: fix potential infoleak in devio
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via “copy_to_user”. Signed-off-by: Kangjie Lu <kjlu@gatech.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
973986126a
commit
681fef8380
1 changed files with 5 additions and 4 deletions
|
@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
|
||||||
|
|
||||||
static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
|
static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
|
||||||
{
|
{
|
||||||
struct usbdevfs_connectinfo ci = {
|
struct usbdevfs_connectinfo ci;
|
||||||
.devnum = ps->dev->devnum,
|
|
||||||
.slow = ps->dev->speed == USB_SPEED_LOW
|
memset(&ci, 0, sizeof(ci));
|
||||||
};
|
ci.devnum = ps->dev->devnum;
|
||||||
|
ci.slow = ps->dev->speed == USB_SPEED_LOW;
|
||||||
|
|
||||||
if (copy_to_user(arg, &ci, sizeof(ci)))
|
if (copy_to_user(arg, &ci, sizeof(ci)))
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
|
|
Loading…
Reference in a new issue