mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-01 14:44:12 +00:00
[PATCH] USB: usbfs: Don't leak uninitialized data
This patch fixes an information leak in the usbfs snoop facility: uninitialized data from __get_free_page can be returned to userspace and written to the system log. It also improves the snoop output by printing the wLength value. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
279e1545a1
commit
fe0410c7f4
1 changed files with 12 additions and 6 deletions
|
@ -569,8 +569,11 @@ static int proc_control(struct dev_state *ps, void __user *arg)
|
||||||
free_page((unsigned long)tbuf);
|
free_page((unsigned long)tbuf);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
snoop(&dev->dev, "control read: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n",
|
snoop(&dev->dev, "control read: bRequest=%02x "
|
||||||
ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);
|
"bRrequestType=%02x wValue=%04x "
|
||||||
|
"wIndex=%04x wLength=%04x\n",
|
||||||
|
ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
|
||||||
|
ctrl.wIndex, ctrl.wLength);
|
||||||
|
|
||||||
usb_unlock_device(dev);
|
usb_unlock_device(dev);
|
||||||
i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
|
i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
|
||||||
|
@ -579,11 +582,11 @@ static int proc_control(struct dev_state *ps, void __user *arg)
|
||||||
if ((i > 0) && ctrl.wLength) {
|
if ((i > 0) && ctrl.wLength) {
|
||||||
if (usbfs_snoop) {
|
if (usbfs_snoop) {
|
||||||
dev_info(&dev->dev, "control read: data ");
|
dev_info(&dev->dev, "control read: data ");
|
||||||
for (j = 0; j < ctrl.wLength; ++j)
|
for (j = 0; j < i; ++j)
|
||||||
printk ("%02x ", (unsigned char)(tbuf)[j]);
|
printk ("%02x ", (unsigned char)(tbuf)[j]);
|
||||||
printk("\n");
|
printk("\n");
|
||||||
}
|
}
|
||||||
if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {
|
if (copy_to_user(ctrl.data, tbuf, i)) {
|
||||||
free_page((unsigned long)tbuf);
|
free_page((unsigned long)tbuf);
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
}
|
}
|
||||||
|
@ -595,8 +598,11 @@ static int proc_control(struct dev_state *ps, void __user *arg)
|
||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
snoop(&dev->dev, "control write: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n",
|
snoop(&dev->dev, "control write: bRequest=%02x "
|
||||||
ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);
|
"bRrequestType=%02x wValue=%04x "
|
||||||
|
"wIndex=%04x wLength=%04x\n",
|
||||||
|
ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
|
||||||
|
ctrl.wIndex, ctrl.wLength);
|
||||||
if (usbfs_snoop) {
|
if (usbfs_snoop) {
|
||||||
dev_info(&dev->dev, "control write: data: ");
|
dev_info(&dev->dev, "control write: data: ");
|
||||||
for (j = 0; j < ctrl.wLength; ++j)
|
for (j = 0; j < ctrl.wLength; ++j)
|
||||||
|
|
Loading…
Reference in a new issue