diff options
author | steven_syu <steven_syu@asus.com> | 2016-08-17 17:02:20 +0800 |
---|---|---|
committer | Carol_Jiang <carol_jiang@asus.com> | 2016-08-17 17:32:13 +0800 |
commit | f3e198c66b7712d57dca0b7c2a34905f79f84a1c (patch) | |
tree | 91d20cf91924da404ae5c1c0386ca01919f73785 | |
parent | eb5b2036f4f7c329cbb8039b882251a40e1f03fd (diff) |
robin: security: patch for CVE-2016-4482android-wear-6.0.1_r0.61
Subject: [PATCH] USB: usbfs: fix potential infoleak in devio
The stack object "ci" has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via "copy_to_user".
Change-Id: I0e72b4f00bf253d472bfce2660e5370de99d0018
Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/249847
Reviewed-by: Steven Syu <steven_syu@asus.com>
Tested-by: Steven Syu <steven_syu@asus.com>
Reviewed-by: Carol_Jiang <carol_jiang@asus.com>
-rw-r--r-- | drivers/usb/core/devio.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index ce773cca2bf5..87734840292b 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1105,10 +1105,11 @@ static int proc_getdriver(struct dev_state *ps, void __user *arg) static int proc_connectinfo(struct dev_state *ps, void __user *arg) { - struct usbdevfs_connectinfo ci = { - .devnum = ps->dev->devnum, - .slow = ps->dev->speed == USB_SPEED_LOW - }; + struct usbdevfs_connectinfo ci; + + memset(&ci, 0, sizeof(ci)); + ci.devnum = ps->dev->devnum; + ci.slow = ps->dev->speed == USB_SPEED_LOW; if (copy_to_user(arg, &ci, sizeof(ci))) return -EFAULT; |