mtd: mtdchar: fix information leak to userland
Linux-MTD Mailing List
linux-mtd at lists.infradead.org
Fri Dec 3 11:59:03 EST 2010
Gitweb: http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=a0c5a3944ce121bb2417c771f77b18485cd84e18
Commit: a0c5a3944ce121bb2417c771f77b18485cd84e18
Parent: ac80dac00f8630803dc0c7f8fbe6983a8e2a8b5f
Author: Vasiliy Kulikov <segooon at gmail.com>
AuthorDate: Sat Nov 6 17:41:24 2010 +0300
Committer: David Woodhouse <David.Woodhouse at intel.com>
CommitDate: Fri Dec 3 16:29:12 2010 +0000
mtd: mtdchar: fix information leak to userland
Structure mtd_info_user is copied to userland with padding byted
between "type" and "flags" fields uninitialized. It leads to leaking
of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse at intel.com>
---
drivers/mtd/mtdchar.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 4759d82..cad8fcc 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
}
case MEMGETINFO:
+ memset(&info, 0, sizeof(info));
info.type = mtd->type;
info.flags = mtd->flags;
info.size = mtd->size;
@@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
info.oobsize = mtd->oobsize;
/* The below fields are obsolete */
info.ecctype = -1;
- info.eccsize = 0;
if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
return -EFAULT;
break;
More information about the linux-mtd-cvs
mailing list