diff mbox

drivers/i2c/i2c-dev: Fix kernel memory disclosure

Message ID 1483977216-7623-1-git-send-email-vlad@tsyrklevich.net
State Accepted
Headers show

Commit Message

Vlad Tsyrklevich Jan. 9, 2017, 3:53 p.m. UTC 
i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
---
 drivers/i2c/i2c-dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Wolfram Sang Jan. 12, 2017, 6:36 p.m. UTC | #1 
On Mon, Jan 09, 2017 at 10:53:36PM +0700, Vlad Tsyrklevich wrote:
> i2c_smbus_xfer() does not always fill an entire block, allowing
> kernel stack memory disclosure through the temp variable. Clear
> it before it's read to.
> 
> Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>

Applied to for-current, thanks!

--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 66f323f..6f638bb 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -331,7 +331,7 @@  static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
 		unsigned long arg)
 {
 	struct i2c_smbus_ioctl_data data_arg;
-	union i2c_smbus_data temp;
+	union i2c_smbus_data temp = {};
 	int datasize, res;
 
 	if (copy_from_user(&data_arg,