Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4454ybp; Thu, 3 Oct 2019 09:23:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqyFP2+1RE+IBDn4mRae+Zt9GXAz3lanuMKD+GWgHRvR5kzojTbuvnYilz17wcwPdtKkct3e X-Received: by 2002:a17:906:1f57:: with SMTP id d23mr8637764ejk.103.1570119781590; Thu, 03 Oct 2019 09:23:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570119781; cv=none; d=google.com; s=arc-20160816; b=ApfheTFDgnPSPmMxClKQ0X4kXZ65XVLd/ZwCNMAgR+nq6Bn1gUL3iVEYFoO1oeQfQN znRSTxXGN66NYflNl+wqySvaNLeZP0HzLQS1Jw3OZsyRRsux+ffcWUywz33EKJPLaoJF tC+7qz3hXaJHUFxPXzSeSSTS6A+vzexnqN/QYMZFMvdFKRyRqX9+n2BYtsuGVb6nqqeR dZdaLnNq2Sb/06Z0vrdtK4b58CSpY5WFqyhV0CupGeQcFtEPNcA8fA3te67NS5ntR3wv +/plWS63x8qwpXv8svD1SCi7mUYO1578zU649SQtaNOkPvZ9CggGnYOfnVzhRXY0naec 5VUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U1Tse67x2JIcr/Fto1Ui543Z/ZVE2SJbxh+XzZdvhMU=; b=g3XQKf+dbHM4wp8csSjinCuH2L3BbHD7lQbaHG9okef23xQp5AzW6AHppeNmOCo7rK 0FI61X8/QezyN6gUvNlAceKEkLJqfdEo9fUrlPwXobnq9ooL6t7TOisnHBkigtncWI9N MgXUuA5mqOcZ6iYvjXrl2tlOJkasqpCdOdTf2798fvTknM6L2t/OC9eQBUjCxqQILp6E dcPIqONotcshQMWClcZ1vgYul9uFQSCxN9VI2qB8Ej/Ttk9/G1UlsLj6556is30wieCJ gDej7dUeOwqLb0lqYc8/0cVRheeYibltQOrv0Gmi7xxAM9qVLe3zhagb4viKxrbWPHrP p6Og== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0TMWk2vk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l15si1469105eja.290.2019.10.03.09.22.36; Thu, 03 Oct 2019 09:23:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0TMWk2vk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390024AbfJCQU5 (ORCPT + 99 others); Thu, 3 Oct 2019 12:20:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:48910 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390017AbfJCQUx (ORCPT ); Thu, 3 Oct 2019 12:20:53 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 74FEF2054F; Thu, 3 Oct 2019 16:20:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1570119652; bh=QrVb8AKqGho74elpDM3t5GaiRxbdvP6AAaWnOKIF96A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0TMWk2vkhybzBR6ea8giKaaB896UTG/fKugfSSLQ75ojNwS9ebkDQ9tO9j4k7d/kV 3F/NN/+NgxiUhjiPY5skPgR0+VG5kVwRLiQGbCFCi89ICHb4P2gRmTGdh7hwPN36Sv GjIwOzRj4WoY3OTJs1KYdWyiEEh6y6ThkSVsAGO8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tomas Bortoli , syzbot+0522702e9d67142379f1@syzkaller.appspotmail.com, Sean Young , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.19 142/211] media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() Date: Thu, 3 Oct 2019 17:53:28 +0200 Message-Id: <20191003154519.590260656@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191003154447.010950442@linuxfoundation.org> References: <20191003154447.010950442@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tomas Bortoli [ Upstream commit a10feaf8c464c3f9cfdd3a8a7ce17e1c0d498da1 ] The function at issue does not always initialize each byte allocated for 'b' and can therefore leak uninitialized memory to a USB device in the call to usb_bulk_msg() Use kzalloc() instead of kmalloc() Signed-off-by: Tomas Bortoli Reported-by: syzbot+0522702e9d67142379f1@syzkaller.appspotmail.com Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/usb/ttusb-dec/ttusb_dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c index 44ca66cb9b8f1..f34efa7c61b40 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -329,7 +329,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, dprintk("%s\n", __func__); - b = kmalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL); + b = kzalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL); if (!b) return -ENOMEM; -- 2.20.1