From: Greg KH <gregkh@suse.de>
To: Linus Torvalds <torvalds@osdl.org>, Andrew Morton <akpm@osdl.org>
Cc: linux-kernel@vger.kernel.org, stern@rowland.harvard.edu
Subject: [patch 20/29] USB: usbfs: Don't leak uninitialized data
Date: Fri, 29 Jul 2005 12:16:58 -0700 [thread overview]
Message-ID: <20050729191658.GV5095@kroah.com> (raw)
In-Reply-To: <20050729191255.GA5095@kroah.com>
[-- Attachment #1: usb-usbfs-dont-leak-data.patch --]
[-- Type: text/plain, Size: 2195 bytes --]
From: Alan Stern <stern@rowland.harvard.edu>
This patch fixes an information leak in the usbfs snoop facility:
uninitialized data from __get_free_page can be returned to userspace and
written to the system log. It also improves the snoop output by printing
the wLength value.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/core/devio.c | 18 ++++++++++++------
1 files changed, 12 insertions(+), 6 deletions(-)
--- gregkh-2.6.orig/drivers/usb/core/devio.c 2005-07-29 11:29:48.000000000 -0700
+++ gregkh-2.6/drivers/usb/core/devio.c 2005-07-29 11:36:28.000000000 -0700
@@ -569,8 +569,11 @@
free_page((unsigned long)tbuf);
return -EINVAL;
}
- snoop(&dev->dev, "control read: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n",
- ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);
+ snoop(&dev->dev, "control read: bRequest=%02x "
+ "bRrequestType=%02x wValue=%04x "
+ "wIndex=%04x wLength=%04x\n",
+ ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
+ ctrl.wIndex, ctrl.wLength);
usb_unlock_device(dev);
i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
@@ -579,11 +582,11 @@
if ((i > 0) && ctrl.wLength) {
if (usbfs_snoop) {
dev_info(&dev->dev, "control read: data ");
- for (j = 0; j < ctrl.wLength; ++j)
+ for (j = 0; j < i; ++j)
printk ("%02x ", (unsigned char)(tbuf)[j]);
printk("\n");
}
- if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {
+ if (copy_to_user(ctrl.data, tbuf, i)) {
free_page((unsigned long)tbuf);
return -EFAULT;
}
@@ -595,8 +598,11 @@
return -EFAULT;
}
}
- snoop(&dev->dev, "control write: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n",
- ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);
+ snoop(&dev->dev, "control write: bRequest=%02x "
+ "bRrequestType=%02x wValue=%04x "
+ "wIndex=%04x wLength=%04x\n",
+ ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
+ ctrl.wIndex, ctrl.wLength);
if (usbfs_snoop) {
dev_info(&dev->dev, "control write: data: ");
for (j = 0; j < ctrl.wLength; ++j)
--
next prev parent reply other threads:[~2005-07-30 0:50 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20050729184950.014589000@press.kroah.org>
2005-07-29 19:12 ` [patch 00/29] fixes for 2.6.13-rc4 Greg KH
2005-07-29 19:13 ` [patch 02/29] sysfs: fix sysfs_chmod_file Greg KH
2005-07-29 19:14 ` [patch 01/29] stable_api_nonsense.txt fixes Greg KH
2005-07-29 19:14 ` [patch 03/29] sysfs: fix sysfs_setattr Greg KH
2005-07-29 19:14 ` [patch 04/29] DEBUG_FS must depend on SYSFS Greg KH
2005-07-29 19:14 ` [patch 05/29] Add the rules about the -stable kernel releases to the Documentation directory Greg KH
2005-07-29 19:14 ` [patch 06/29] I2C-MPC: Restore code removed Greg KH
2005-07-29 19:15 ` [patch 07/29] I2C: ds1337 - fix 12/24 hour mode bug Greg KH
2005-07-29 19:15 ` [patch 08/29] I2C: Missing space in split strings Greg KH
2005-07-29 19:15 ` [patch 09/29] I2C: use time_after in 3 chip drivers Greg KH
2005-07-29 19:15 ` [patch 10/29] I2C: missing new lines in i2c-core messages Greg KH
2005-07-29 19:15 ` [patch 11/29] I2C: 24RF08 corruption prevention (again) Greg KH
2005-07-29 19:15 ` [patch 12/29] w1: kconfig/Makefile fix Greg KH
2005-07-29 19:15 ` [patch 13/29] PCI: Hidden SMBus bridge on Toshiba Tecra M2 Greg KH
2005-07-29 19:16 ` [patch 14/29] PCI: Adjust PCI rom code to handle more broken ROMs Greg KH
2005-07-29 19:16 ` [patch 15/29] PCI: remove PCI_BRIDGE_CTL_VGA handling from setup-bus.c Greg KH
2005-07-29 19:16 ` [patch 16/29] PCI: fix up errors after dma bursting patch and CONFIG_PCI=n -- bug? Greg KH
2005-07-29 19:16 ` [patch 17/29] USB: ftdi_sio: new microHAM and Evolution Robotics devices Greg KH
2005-07-29 19:16 ` [patch 18/29] USB: ftdi_sio: Update RTS and DTR simultaneously Greg KH
2005-07-29 19:16 ` [patch 19/29] USB: ftdi_sio: fix a couple of timeouts Greg KH
2005-07-29 19:16 ` Greg KH [this message]
2005-07-29 19:17 ` [patch 21/29] USB: drivers/usb/net/: remove two unused multicast_filter_limit variables Greg KH
2005-07-29 19:17 ` [patch 22/29] USB: Usbcore: Don't try to delete unregistered interfaces Greg KH
2005-07-29 19:17 ` [patch 23/29] USB: ldusb fixes Greg KH
2005-07-29 19:17 ` [patch 24/29] USB: Patch for KYOCERA AH-K3001V support Greg KH
2005-07-29 19:17 ` [patch 25/29] USB: drivers/net/usb/zd1201.c: Gigabyte GN-WLBZ201 dongle usbid Greg KH
2005-07-29 19:18 ` [patch 26/29] USB: add S3C24XX USB Host driver support Greg KH
2005-07-29 19:18 ` [patch 27/29] USB: fix Bug in usb-skeleton.c Greg KH
2005-07-29 19:18 ` [patch 28/29] USB: fix in usb_calc_bus_time Greg KH
2005-07-29 19:18 ` [patch 29/29] USB: hidinput_hid_event() oops fix Greg KH
2005-07-29 19:13 ` [patch 01/29] stable_api_nonsense.txt fixes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050729191658.GV5095@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox