Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753851AbdFSSz1 (ORCPT + 2 others); Mon, 19 Jun 2017 14:55:27 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:52610 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751641AbdFSSiS (ORCPT ); Mon, 19 Jun 2017 14:38:18 -0400 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: Vlad Tsyrklevich , Wolfram Sang , Willy Tarreau Subject: [PATCH 3.10 098/268] i2c: fix kernel memory disclosure in dev interface Date: Mon, 19 Jun 2017 20:29:57 +0200 Message-Id: <1497897167-14556-99-git-send-email-w@1wt.eu> X-Mailer: git-send-email 2.8.0.rc2.1.gbe9624a In-Reply-To: <1497897167-14556-1-git-send-email-w@1wt.eu> References: <1497897167-14556-1-git-send-email-w@1wt.eu> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: From: Vlad Tsyrklevich commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream. i2c_smbus_xfer() does not always fill an entire block, allowing kernel stack memory disclosure through the temp variable. Clear it before it's read to. Signed-off-by: Vlad Tsyrklevich Signed-off-by: Wolfram Sang Signed-off-by: Willy Tarreau --- drivers/i2c/i2c-dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c index c3ccdea..fa3ecec 100644 --- a/drivers/i2c/i2c-dev.c +++ b/drivers/i2c/i2c-dev.c @@ -328,7 +328,7 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client, unsigned long arg) { struct i2c_smbus_ioctl_data data_arg; - union i2c_smbus_data temp; + union i2c_smbus_data temp = {}; int datasize, res; if (copy_from_user(&data_arg, -- 2.8.0.rc2.1.gbe9624a