usb: core: fix information leak to userland

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized. It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

authored by

Vasiliy Kulikov and committed by

Greg Kroah-Hartman 15 years ago 886ccd45 eca67aae

+4 -3

1 changed file

expand all

drivers

usb

core

devio.c

+4 -3

drivers/usb/core/devio.c

··· 965 965 966 966 static int proc_connectinfo(struct dev_state *ps, void __user *arg) 967 967 { 968 - struct usbdevfs_connectinfo ci; 968 + struct usbdevfs_connectinfo ci = { 969 + .devnum = ps->dev->devnum, 970 + .slow = ps->dev->speed == USB_SPEED_LOW 971 + }; 969 972 970 - ci.devnum = ps->dev->devnum; 971 - ci.slow = ps->dev->speed == USB_SPEED_LOW; 972 973 if (copy_to_user(arg, &ci, sizeof(ci))) 973 974 return -EFAULT; 974 975 return 0;