From patchwork Wed Dec 2 14:59:31 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 551394 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id E95D1140306; Thu, 3 Dec 2015 01:59:51 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1a48sn-0000sT-OL; Wed, 02 Dec 2015 14:59:49 +0000 Received: from mail-wm0-f48.google.com ([74.125.82.48]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1a48sf-0000rT-GL for kernel-team@lists.ubuntu.com; Wed, 02 Dec 2015 14:59:41 +0000 Received: by wmec201 with SMTP id c201so61690943wme.1 for ; Wed, 02 Dec 2015 06:59:41 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=y47fxlv7Q0hq7hve3NO5irceyFdPMx3jSwy7g2azaTo=; b=TPF0KEreMZ3kt2OG/u/I7FSiMfZ9Dyv6Uh4z37SN72QWS8XO7qjgN+P3Ae0eL6/ouy TUvyygMpFRLByzzq/Db1agFrtsK8k1sEoDXr8hgy280JQURrkRkX6sFbaWGSCWrCrL23 NuRENzEyKArJg4nnFf/1+y5UlNBpv8E2/7jRU17ryev+s5yl1M83n+Cc0U+dvnco9RRb rrafYw1i50Te259y/JvMNWJClVz5vEUs+9pLUqHwSxr4UuW2R9auUNzfoem0XZDUswa4 DmPU4+8mfC9jzLPNQggCf80KIa5sM/gEc73uF9woCfAUp+zW53D6YlHyAweodJrbwtcP fCPw== X-Gm-Message-State: ALoCoQkD1J5ATTRPtRnwWk7e/s5LZesawA610vxAauqpNSGSwdteaL4shjF8PrAF6fmN2++ckSK8 X-Received: by 10.28.184.134 with SMTP id i128mr6835649wmf.12.1449068381348; Wed, 02 Dec 2015 06:59:41 -0800 (PST) Received: from localhost ([2001:470:6973:2:55ab:1437:1293:1d55]) by smtp.gmail.com with ESMTPSA id lx4sm3167744wjb.5.2015.12.02.06.59.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Dec 2015 06:59:40 -0800 (PST) From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [wily/master-next 1/7] staging/dgnc: fix info leak in ioctl Date: Wed, 2 Dec 2015 14:59:31 +0000 Message-Id: <1449068377-21867-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 2.6.2 In-Reply-To: <1449068377-21867-1-git-send-email-apw@canonical.com> References: <1449068377-21867-1-git-send-email-apw@canonical.com> MIME-Version: 1.0 Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Salva Peiró The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05) CVE-2015-7885 BugLink: http://bugs.launchpad.net/bugs/1509565 Signed-off-by: Andy Whitcroft --- drivers/staging/dgnc/dgnc_mgmt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c index b13318a..883e2a8 100644 --- a/drivers/staging/dgnc/dgnc_mgmt.c +++ b/drivers/staging/dgnc/dgnc_mgmt.c @@ -115,6 +115,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg) spin_lock_irqsave(&dgnc_global_lock, flags); + memset(&ddi, 0, sizeof(ddi)); ddi.dinfo_nboards = dgnc_NumBoards; sprintf(ddi.dinfo_version, "%s", DG_PART);