[patch] [media] bt8xx: info leak in ca_get_slot_info()
p_ca_slot_info was allocated with kmalloc() so we need to clear it before passing it to the user. Signed-off-by: Dan Carpenter dan.carpen...@oracle.com diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c index 0e788fc..6b9dc3f 100644 --- a/drivers/media/pci/bt8xx/dst_ca.c +++ b/drivers/media/pci/bt8xx/dst_ca.c @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s p_ca_slot_info-flags = CA_CI_MODULE_READY; p_ca_slot_info-num = 1; p_ca_slot_info-type = CA_CI; - } else + } else { p_ca_slot_info-flags = 0; + p_ca_slot_info-num = 0; + p_ca_slot_info-type = 0; + } if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info))) return -EFAULT; -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()
Am 25.07.2013 18:46, schrieb Dan Carpenter: p_ca_slot_info was allocated with kmalloc() so we need to clear it before passing it to the user. Signed-off-by: Dan Carpenter dan.carpen...@oracle.com diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c index 0e788fc..6b9dc3f 100644 --- a/drivers/media/pci/bt8xx/dst_ca.c +++ b/drivers/media/pci/bt8xx/dst_ca.c @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s p_ca_slot_info-flags = CA_CI_MODULE_READY; p_ca_slot_info-num = 1; p_ca_slot_info-type = CA_CI; - } else + } else { p_ca_slot_info-flags = 0; + p_ca_slot_info-num = 0; + p_ca_slot_info-type = 0; + } if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info))) return -EFAULT; note: i have no clue how p_ca_slot_info looks like, but to avoid information leaks via compiler padding etc. i could be more wise to do a memset(p_ca_slot_info,0,sizeof (struct ca_slot_info)) and then set the p_ca_slot_info-flags = CA_CI_MODULE_READY; p_ca_slot_info-num = 1; p_ca_slot_info-type = CA_CI; just my 2 cents, re, wh -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [patch] [media] bt8xx: info leak in ca_get_slot_info()
On Thu, Jul 25, 2013 at 07:29:09PM +0200, walter harms wrote: Am 25.07.2013 18:46, schrieb Dan Carpenter: p_ca_slot_info was allocated with kmalloc() so we need to clear it before passing it to the user. Signed-off-by: Dan Carpenter dan.carpen...@oracle.com diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c index 0e788fc..6b9dc3f 100644 --- a/drivers/media/pci/bt8xx/dst_ca.c +++ b/drivers/media/pci/bt8xx/dst_ca.c @@ -302,8 +302,11 @@ static int ca_get_slot_info(struct dst_state *state, struct ca_slot_info *p_ca_s p_ca_slot_info-flags = CA_CI_MODULE_READY; p_ca_slot_info-num = 1; p_ca_slot_info-type = CA_CI; - } else + } else { p_ca_slot_info-flags = 0; + p_ca_slot_info-num = 0; + p_ca_slot_info-type = 0; + } if (copy_to_user(arg, p_ca_slot_info, sizeof (struct ca_slot_info))) return -EFAULT; note: i have no clue how p_ca_slot_info looks like, but to avoid information leaks via compiler padding etc. i could be more wise to do a memset(p_ca_slot_info,0,sizeof (struct ca_slot_info)) and then set the There is no compiler padding. My static checker looks for that. regards, dan carpenter -- To unsubscribe from this list: send the line unsubscribe linux-media in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html