From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754393AbaELCK1 (ORCPT ); Sun, 11 May 2014 22:10:27 -0400 Received: from 1wt.eu ([62.212.114.60]:34506 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752671AbaELBmQ (ORCPT ); Sun, 11 May 2014 21:42:16 -0400 Message-Id: <20140512003201.012213718@1wt.eu> User-Agent: quilt/0.48-1 Date: Mon, 12 May 2014 02:32:09 +0200 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Dan Carpenter , Mike Miller , Andrew Morton , Linus Torvalds , Willy Tarreau Subject: [ 009/143] cciss: fix info leak in cciss_ioctl32_passthru() In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2.6.32-longterm review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter commit 58f09e00ae095e46ef9edfcf3a5fd9ccdfad065e upstream. The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Willy Tarreau --- drivers/block/cciss.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c index 68b90d9..b2225ab 100644 --- a/drivers/block/cciss.c +++ b/drivers/block/cciss.c @@ -1051,6 +1051,7 @@ static int cciss_ioctl32_big_passthru(struct block_device *bdev, fmode_t mode, int err; u32 cp; + memset(&arg64, 0, sizeof(arg64)); err = 0; err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info, -- 1.7.12.2.21.g234cd45.dirty