Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

mtd: mtdchar: fix information leak to userland

Structure mtd_info_user is copied to userland with padding byted
between "type" and "flags" fields uninitialized.  It leads to leaking
of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Vasiliy Kulikov 14 years ago
parent
ac80dac00f
commit
a0c5a3944c
1 changed files with 1 additions and 1 deletions
Unified View Show Diff Stats
  1. 1 1
      drivers/mtd/mtdchar.c

+ 1 - 1
drivers/mtd/mtdchar.c
View File 

@@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 
 	}
 
 	}
 
 
 
 	case MEMGETINFO:
 
 	case MEMGETINFO:
 
+		memset(&info, 0, sizeof(info));
 
 		info.type	= mtd->type;
 
 		info.type	= mtd->type;
 
 		info.flags	= mtd->flags;
 
 		info.flags	= mtd->flags;
 
 		info.size	= mtd->size;
 
 		info.size	= mtd->size;
 
@@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
 
 		info.oobsize	= mtd->oobsize;
 
 		info.oobsize	= mtd->oobsize;
 
 		/* The below fields are obsolete */
 
 		/* The below fields are obsolete */
 
 		info.ecctype	= -1;
 
 		info.ecctype	= -1;
 
-		info.eccsize	= 0;
 
 		if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
 
 		if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
 
 			return -EFAULT;
 
 			return -EFAULT;
 
 		break;
 
 		break;