From patchwork Tue Oct 1 16:05:04 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 279493 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 745732C00BA for ; Wed, 2 Oct 2013 02:05:24 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1VR2Ro-00013q-Cu; Tue, 01 Oct 2013 16:05:16 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1VR2Rh-00012o-00 for kernel-team@lists.ubuntu.com; Tue, 01 Oct 2013 16:05:08 +0000 Received: from bl15-111-94.dsl.telepac.pt ([188.80.111.94] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1VR2Rg-00046s-QK for kernel-team@lists.ubuntu.com; Tue, 01 Oct 2013 16:05:08 +0000 From: Luis Henriques To: kernel-team@lists.ubuntu.com Subject: [CVE 2/2] cpqarray: fix info leak in ida_locked_ioctl() Date: Tue, 1 Oct 2013 17:05:04 +0100 Message-Id: <1380643504-20774-3-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.3.2 In-Reply-To: <1380643504-20774-1-git-send-email-luis.henriques@canonical.com> References: <1380643504-20774-1-git-send-email-luis.henriques@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Dan Carpenter BugLink: http://bugs.launchpad.net/bugs/1188355 CVE-2013-2147 The pciinfo struct has a two byte hole after ->dev_fn so stack information could be leaked to the user. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds (cherry picked from commit 627aad1c01da6f881e7f98d71fd928ca0c316b1a) Signed-off-by: Luis Henriques --- drivers/block/cpqarray.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c index 6422651..f9caa45 100644 --- a/drivers/block/cpqarray.c +++ b/drivers/block/cpqarray.c @@ -1181,6 +1181,7 @@ out_passthru: ida_pci_info_struct pciinfo; if (!arg) return -EINVAL; + memset(&pciinfo, 0, sizeof(pciinfo)); pciinfo.bus = host->pci_dev->bus->number; pciinfo.dev_fn = host->pci_dev->devfn; pciinfo.board_id = host->board_id;