[PATCH] mt76: mt7915: fix a couple information leaks

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Felix Fietkau <nbd@nbd.name>
Cc: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>,
	Ryder Lee <ryder.lee@mediatek.com>,
	Shayne Chen <shayne.chen@mediatek.com>,
	Sean Wang <sean.wang@mediatek.com>, Kalle Valo <kvalo@kernel.org>,
	Matthias Brugger <matthias.bgg@gmail.com>,
	MeiChia Chiu <meichia.chiu@mediatek.com>,
	Money Wang <Money.Wang@mediatek.com>,
	linux-wireless@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH] mt76: mt7915: fix a couple information leaks
Date: Fri, 7 Jan 2022 10:36:09 +0300	[thread overview]
Message-ID: <20220107073609.GH22086@kili> (raw)

Unfortunately this code has stumbled into some deep C standards
nonsense.  These two structs have a 3 byte struct hole at the end.  If
you partially initialize a struct then the C standard specifies that
all the struct holes are zeroed out.  But when you initialize all the
members of the struct, as this code does, then struct holes may be left
with uninitialized stack data.  This is from C11 section 6.7.9 and how
it is implemented in GCC.

Anyway, add some memsets to prevent exposing uninitialized stack data
with the user.  Debugfs is root only so the real life impact of these
leaks is very small.

Fixes: 1966a5078f2d ("mt76: mt7915: add mu-mimo and ofdma debugfs knobs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 .../net/wireless/mediatek/mt76/mt7915/mcu.c   | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index 0911b6f973b5..19c340c65465 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -2999,10 +2999,11 @@ int mt7915_mcu_muru_debug_set(struct mt7915_dev *dev, bool enabled)
 	struct {
 		__le32 cmd;
 		u8 enable;
-	} data = {
-		.cmd = cpu_to_le32(MURU_SET_TXC_TX_STATS_EN),
-		.enable = enabled,
-	};
+	} data;
+
+	memset(&data, 0, sizeof(data));
+	data.cmd = cpu_to_le32(MURU_SET_TXC_TX_STATS_EN);
+	data.enable = enabled;
 
 	return mt76_mcu_send_msg(&dev->mt76, MCU_EXT_CMD(MURU_CTRL), &data,
 				sizeof(data), false);
@@ -3014,15 +3015,15 @@ int mt7915_mcu_muru_debug_get(struct mt7915_phy *phy, void *ms)
 	struct sk_buff *skb;
 	struct mt7915_mcu_muru_stats *mu_stats =
 				(struct mt7915_mcu_muru_stats *)ms;
-	int ret;
-
 	struct {
 		__le32 cmd;
 		u8 band_idx;
-	} req = {
-		.cmd = cpu_to_le32(MURU_GET_TXC_TX_STATS),
-		.band_idx = phy != &dev->phy,
-	};
+	} req;
+	int ret;
+
+	memset(&req, 0, sizeof(req));
+	req.cmd = cpu_to_le32(MURU_GET_TXC_TX_STATS);
+	req.band_idx = phy != &dev->phy;
 
 	ret = mt76_mcu_send_and_get_msg(&dev->mt76, MCU_EXT_CMD(MURU_CTRL),
 					&req, sizeof(req), true, &skb);
-- 
2.20.1


_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
