From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752667AbbCIXew (ORCPT <rfc822;w@1wt.eu>);
	Mon, 9 Mar 2015 19:34:52 -0400
Received: from smtp89.iad3a.emailsrvr.com ([173.203.187.89]:53606 "EHLO
	smtp89.iad3a.emailsrvr.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1751026AbbCIXet (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 9 Mar 2015 19:34:49 -0400
X-Sender-Id: abbotti@mev.co.uk
Message-ID: <54FE2E12.4000108@mev.co.uk>
Date: Mon, 09 Mar 2015 23:34:42 +0000
From: Ian Abbott <abbotti@mev.co.uk>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.4.0
MIME-Version: 1.0
To: Matteo Semenzato <mattew8898@gmail.com>, gregkh@linuxfoundation.org,
        hsweeten@visionengravers.com
CC: devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Staging: comedi: fix information leak
References: <1425931697-10301-1-git-send-email-mattew8898@gmail.com>
In-Reply-To: <1425931697-10301-1-git-send-email-mattew8898@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 09/03/15 20:08, Matteo Semenzato wrote:
> From: Matteo Semenzato <mattew8898@gmail.com>
>
> The comedi_cmd struct has an hole after chanlist_len that could contain uninitialized
> memory, this struct is copied to userspace.
>
> Signed-off-by: Matteo Semenato <mattew8898@gmail.com>
> ---
>   drivers/staging/comedi/comedi_fops.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
> index 727640e..1cdf0a2 100644
> --- a/drivers/staging/comedi/comedi_fops.c
> +++ b/drivers/staging/comedi/comedi_fops.c
> @@ -1718,6 +1718,8 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
>   	unsigned int __user *user_chanlist;
>   	int ret;
>
> +	memset(&cmd, 0, sizeof(cmd));
> +
>   	/* get the user's cmd and do some simple validation */
>   	ret = __comedi_get_user_cmd(dev, arg, &cmd);
>   	if (ret)
>

I see no information leak there.  The cmd variable gets copied over with 
user memory by the call to __comedi_get_user_cmd(), so zero-filling it 
first is rather pointless.

-- 
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti@mev.co.uk> )=-
-=(                          Web: http://www.mev.co.uk/  )=-