From patchwork Sat Nov 6 14:41:24 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kulikov Vasiliy X-Patchwork-Id: 70328 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from canuck.infradead.org (canuck.infradead.org [134.117.69.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id ED81FB7115 for ; Sun, 7 Nov 2010 01:46:41 +1100 (EST) Received: from localhost ([127.0.0.1] helo=canuck.infradead.org) by canuck.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PEjxX-0008Qs-3Z; Sat, 06 Nov 2010 14:41:35 +0000 Received: from mail-ew0-f49.google.com ([209.85.215.49]) by canuck.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1PEjxT-0008QZ-NS for linux-mtd@lists.infradead.org; Sat, 06 Nov 2010 14:41:32 +0000 Received: by ewy19 with SMTP id 19so2157527ewy.36 for ; Sat, 06 Nov 2010 07:41:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:subject:date :message-id:x-mailer; bh=D1NvY6osryN62cL7SkF3fRXNwU0MtUpRR5pcO+lNs50=; b=PXt8Alee+O8eVwb+FC34tXgiZlyBm4UNvH39fH/DagWax5rmPVGY1vvNEjurgyuuHb HiN5GDfu7Xy9B1O7gkqRnYKQe5GdLvT4QktK8K/GKMd2ncjOD82U4JiEgTU8Xn892QSn TYpUYPfEkSAQn5TYcVSnxR4x9UodMvHcMMxbI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; b=VPDlFSeQ/hPSQn2UfbyFSaVa0DnIwpljDUHPz68jyFQ6yekCGjnanfibrKkyFz5qG0 m+hFt5/S8JqfcIohibYZMVmqngb6Jj5HkC6HkBYD7LZ4avp/Beubk/b8KC9SsDBX1VYg NwLNykMdgcYfWSPD2TBmjPsyxMfQvAQSeqgdo= Received: by 10.14.48.74 with SMTP id u50mr1831952eeb.49.1289054488308; Sat, 06 Nov 2010 07:41:28 -0700 (PDT) Received: from localhost (ppp91-78-211-12.pppoe.mtu-net.ru [91.78.211.12]) by mx.google.com with ESMTPS id v51sm2197033eeh.16.2010.11.06.07.41.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 06 Nov 2010 07:41:27 -0700 (PDT) From: Vasiliy Kulikov To: kernel-janitors@vger.kernel.org Subject: [PATCH] mtd: mtdchar: fix information leak to userland Date: Sat, 6 Nov 2010 17:41:24 +0300 Message-Id: <1289054485-18190-1-git-send-email-segooon@gmail.com> X-Mailer: git-send-email 1.7.0.4 X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20101106_104131_920158_1794F2C0 X-CRM114-Status: GOOD ( 14.09 ) X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.3.1 on canuck.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, low trust [209.85.215.49 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is freemail (segooon[at]gmail.com) -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_TO_NO_BRKTS_FREEMAIL T_TO_NO_BRKTS_FREEMAIL Cc: linux-mtd@lists.infradead.org, David Woodhouse , linux-kernel@vger.kernel.org X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: linux-mtd-bounces@lists.infradead.org Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Structure mtd_info_user is copied to userland with padding byted between "type" and "flags" fields uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov --- Compile tested. drivers/mtd/mtdchar.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index 3eff1e5..2a0bc9e 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) } case MEMGETINFO: + memset(&info, 0, sizeof(info)); info.type = mtd->type; info.flags = mtd->flags; info.size = mtd->size; @@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) info.oobsize = mtd->oobsize; /* The below fields are obsolete */ info.ecctype = -1; - info.eccsize = 0; if (copy_to_user(argp, &info, sizeof(struct mtd_info_user))) return -EFAULT; break;