Message ID | 1483977216-7623-1-git-send-email-vlad@tsyrklevich.net |
---|---|
State | Accepted |
Headers | show |
On Mon, Jan 09, 2017 at 10:53:36PM +0700, Vlad Tsyrklevich wrote: > i2c_smbus_xfer() does not always fill an entire block, allowing > kernel stack memory disclosure through the temp variable. Clear > it before it's read to. > > Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> Applied to for-current, thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-i2c" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c index 66f323f..6f638bb 100644 --- a/drivers/i2c/i2c-dev.c +++ b/drivers/i2c/i2c-dev.c @@ -331,7 +331,7 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client, unsigned long arg) { struct i2c_smbus_ioctl_data data_arg; - union i2c_smbus_data temp; + union i2c_smbus_data temp = {}; int datasize, res; if (copy_from_user(&data_arg,
i2c_smbus_xfer() does not always fill an entire block, allowing kernel stack memory disclosure through the temp variable. Clear it before it's read to. Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> --- drivers/i2c/i2c-dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)