linux-kernel - [PATCH 3.12 159/235] i2c: fix kernel memory disclosure in dev interface

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-Id: <142088b084b05f9cfe68ee3e433e738016e3c0e5.1485514374.git.jslaby@suse.cz>
Date:   Fri, 27 Jan 2017 11:54:52 +0100
From:   Jiri Slaby <jslaby@...e.cz>
To:     stable@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org,
        Vlad Tsyrklevich <vlad@...rklevich.net>,
        Wolfram Sang <wsa@...-dreams.de>, Jiri Slaby <jslaby@...e.cz>
Subject: [PATCH 3.12 159/235] i2c: fix kernel memory disclosure in dev interface

From: Vlad Tsyrklevich <vlad@...rklevich.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream.

i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.

Signed-off-by: Vlad Tsyrklevich <vlad@...rklevich.net>
Signed-off-by: Wolfram Sang <wsa@...-dreams.de>
Signed-off-by: Jiri Slaby <jslaby@...e.cz>
---
 drivers/i2c/i2c-dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index c3ccdea3d180..fa3ecec524fa 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -328,7 +328,7 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
 		unsigned long arg)
 {
 	struct i2c_smbus_ioctl_data data_arg;
-	union i2c_smbus_data temp;
+	union i2c_smbus_data temp = {};
 	int datasize, res;
 
 	if (copy_from_user(&data_arg,
-- 
2.11.0