The "info.fill" array isn't initialized so it can leak uninitialized
stack information to user space.
Signed-off-by: Dan Carpenter <[email protected]>
diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
index 44d273c..ed5fc43 100644
--- a/drivers/misc/sgi-gru/grufile.c
+++ b/drivers/misc/sgi-gru/grufile.c
@@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;
info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
+ memset(&info.fill, 0, sizeof(info.fill));
if (copy_to_user((void __user *)arg, &info, sizeof(info)))
return -EFAULT;
Am 21.04.2013 13:10, schrieb Dan Carpenter:
> The "info.fill" array isn't initialized so it can leak uninitialized
> stack information to user space.
>
> Signed-off-by: Dan Carpenter <[email protected]>
>
> diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> index 44d273c..ed5fc43 100644
> --- a/drivers/misc/sgi-gru/grufile.c
> +++ b/drivers/misc/sgi-gru/grufile.c
> @@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;
> info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
> + memset(&info.fill, 0, sizeof(info.fill));
>
the other way around (clear first all bytes) looks more easy
in case someone will add more elements to the struct.
memset(&info, 0, sizeof(info));
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;
....
re,
wh
> if (copy_to_user((void __user *)arg, &info, sizeof(info)))
> return -EFAULT;
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
On Sun, Apr 21, 2013 at 01:56:57PM +0200, walter harms wrote:
>
>
> Am 21.04.2013 13:10, schrieb Dan Carpenter:
> > The "info.fill" array isn't initialized so it can leak uninitialized
> > stack information to user space.
> >
> > Signed-off-by: Dan Carpenter <[email protected]>
> >
> > diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> > index 44d273c..ed5fc43 100644
> > --- a/drivers/misc/sgi-gru/grufile.c
> > +++ b/drivers/misc/sgi-gru/grufile.c
> > @@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
> > info.nodes = num_online_nodes();
> > info.blades = info.nodes / nodesperblade;
> > info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
> > + memset(&info.fill, 0, sizeof(info.fill));
> >
>
> the other way around (clear first all bytes) looks more easy
> in case someone will add more elements to the struct.
>
> memset(&info, 0, sizeof(info));
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;
That does seem more safe.
Robin
The "info.fill" array isn't initialized so it can leak uninitialized
stack information to user space.
Signed-off-by: Dan Carpenter <[email protected]>
---
v2: style changes
diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
index 44d273c..0535d1e 100644
--- a/drivers/misc/sgi-gru/grufile.c
+++ b/drivers/misc/sgi-gru/grufile.c
@@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
nodesperblade = 2;
else
nodesperblade = 1;
+ memset(&info, 0, sizeof(info));
info.cpus = num_online_cpus();
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;
Acked-by: Dimitri Sivanich <[email protected]>
On Sun, Apr 21, 2013 at 08:01:07PM +0300, Dan Carpenter wrote:
> The "info.fill" array isn't initialized so it can leak uninitialized
> stack information to user space.
>
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> v2: style changes
>
> diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> index 44d273c..0535d1e 100644
> --- a/drivers/misc/sgi-gru/grufile.c
> +++ b/drivers/misc/sgi-gru/grufile.c
> @@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
> nodesperblade = 2;
> else
> nodesperblade = 1;
> + memset(&info, 0, sizeof(info));
> info.cpus = num_online_cpus();
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;
Acked-by: Robin Holt <[email protected]>
On Sun, Apr 21, 2013 at 12:33:34PM -0500, Dimitri Sivanich wrote:
> Acked-by: Dimitri Sivanich <[email protected]>
>
> On Sun, Apr 21, 2013 at 08:01:07PM +0300, Dan Carpenter wrote:
> > The "info.fill" array isn't initialized so it can leak uninitialized
> > stack information to user space.
> >
> > Signed-off-by: Dan Carpenter <[email protected]>
> > ---
> > v2: style changes
> >
> > diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> > index 44d273c..0535d1e 100644
> > --- a/drivers/misc/sgi-gru/grufile.c
> > +++ b/drivers/misc/sgi-gru/grufile.c
> > @@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
> > nodesperblade = 2;
> > else
> > nodesperblade = 1;
> > + memset(&info, 0, sizeof(info));
> > info.cpus = num_online_cpus();
> > info.nodes = num_online_nodes();
> > info.blades = info.nodes / nodesperblade;
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/