DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=from:to:cc:subject:date:message-id:x-mailer;
        b=VPDlFSeQ/hPSQn2UfbyFSaVa0DnIwpljDUHPz68jyFQ6yekCGjnanfibrKkyFz5qG0
         m+hFt5/S8JqfcIohibYZMVmqngb6Jj5HkC6HkBYD7LZ4avp/Beubk/b8KC9SsDBX1VYg
         NwLNykMdgcYfWSPD2TBmjPsyxMfQvAQSeqgdo=
From: Vasiliy Kulikov <segooon@gmail.com>
To: kernel-janitors@vger.kernel.org
Cc: David Woodhouse <dwmw2@infradead.org>, linux-mtd@lists.infradead.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] mtd: mtdchar: fix information leak to userland
Date: Sat,  6 Nov 2010 17:41:24 +0300
Message-Id: <1289054485-18190-1-git-send-email-segooon@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1246
Lines: 39

Structure mtd_info_user is copied to userland with padding byted
between "type" and "flags" fields uninitialized.  It leads to leaking
of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
---
 Compile tested.

 drivers/mtd/mtdchar.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 3eff1e5..2a0bc9e 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 	}
 
 	case MEMGETINFO:
+		memset(&info, 0, sizeof(info));
 		info.type	= mtd->type;
 		info.flags	= mtd->flags;
 		info.size	= mtd->size;
@@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 		info.oobsize	= mtd->oobsize;
 		/* The below fields are obsolete */
 		info.ecctype	= -1;
-		info.eccsize	= 0;
 		if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
 			return -EFAULT;
 		break;
-- 
1.7.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/