oss-sec mailing list archives
CVE Request: information leak in devio of Linux kernel
From: Kangjie Lu <kangjielu () gmail com>
Date: Tue, 3 May 2016 20:52:55 -0400
Hello, In the USB module (drivers/usb/core/devio.c), The stack object “ci” has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via “copy_to_user”. The patch of this bug has been accepted by Linux kernel maintainer and will be merged in the next major kernel release (see the bellow message). Fix info: http://www.spinics.net/lists/linux-usb/msg140243.html git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git Could you please assign a CVE to it? Thanks, Kangjie Lu ---------- Forwarded message ---------- From: <gregkh () linuxfoundation org> Date: Tue, May 3, 2016 at 7:23 PM Subject: patch "USB: usbfs: fix potential infoleak in devio" added to usb-next To: kangjielu () gmail com, gregkh () linuxfoundation org, kjlu () gatech edu This is a note to let you know that I've just added the patch titled USB: usbfs: fix potential infoleak in devio to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know.
From 681fef8380eb818c0b845fca5d2ab1dcbab114ee Mon Sep 17 00:00:00 2001
From: Kangjie Lu <kangjielu () gmail com> Date: Tue, 3 May 2016 16:32:16 -0400 Subject: USB: usbfs: fix potential infoleak in devio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The stack object “ci” has a total size of 8 bytes. Its last 3 bytes are padding bytes which are not initialized and leaked to userland via “copy_to_user”. Signed-off-by: Kangjie Lu <kjlu () gatech edu> Signed-off-by: Greg Kroah-Hartman <gregkh () linuxfoundation org> --- drivers/usb/core/devio.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 73ce87166401..e9f5043a2167 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg) static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) { - struct usbdevfs_connectinfo ci = { - .devnum = ps->dev->devnum, - .slow = ps->dev->speed == USB_SPEED_LOW - }; + struct usbdevfs_connectinfo ci; + + memset(&ci, 0, sizeof(ci)); + ci.devnum = ps->dev->devnum; + ci.slow = ps->dev->speed == USB_SPEED_LOW; if (copy_to_user(arg, &ci, sizeof(ci))) return -EFAULT; -- 2.8.2
Current thread:
- CVE Request: information leak in devio of Linux kernel Kangjie Lu (May 03)
- Re: CVE Request: information leak in devio of Linux kernel cve-assign (May 03)