diff options
| author | Jonathan Salwan <jonathan.salwan@gmail.com> | 2013-07-03 22:01:13 +0000 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2014-05-19 07:53:15 +0200 |
| commit | 6c8fbb40df75444547dd4a6ee4dbc67af7e76c1b (patch) | |
| tree | f655dbd8097e098b008288de505ac5d00dcecb38 /drivers | |
| parent | 81fd7a2965dc182bb0bc2de2f4e1b076aad5ab8c (diff) | |
drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
area with kmalloc in line 2885.
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
2886 if (cgc->buffer == NULL)
2887 return -ENOMEM;
In line 2908 we can find the copy_to_user function:
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
The cgc->buffer is never cleaned and initialized before this function.
If ret = 0 with the previous basic block, it's possible to display some
memory bytes in kernel space from userspace.
When we read a block from the disk it normally fills the ->buffer but if
the drive is malfunctioning there is a chance that it would only be
partially filled. The result is an leak information to userspace.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/cdrom/cdrom.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index a4592ecd5cb0..71a78dcd214c 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -2822,7 +2822,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, if (lba < 0) return -EINVAL; - cgc->buffer = kmalloc(blocksize, GFP_KERNEL); + cgc->buffer = kzalloc(blocksize, GFP_KERNEL); if (cgc->buffer == NULL) return -ENOMEM; |