USB: usbfs: don't leak kernel data in siginfo

When a signal is delivered, the information in the siginfo structure is copied to userspace. Good security practice dicatates that the unused fields in this structure should be initialized to 0 so that random kernel stack data isn't exposed to the user. This patch adds such an initialization to the two places where usbfs raises signals. Signed-off-by: N Alan Stern <stern@rowland.harvard.edu> Reported-by: N Dave Mielke <dave@mielke.cc> CC: <stable@vger.kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: usbfs: don't leak kernel data in siginfo
When a signal is delivered, the information in the siginfo structure is copied to userspace. Good security practice dicatates that the unused fields in this structure should be initialized to 0 so that random kernel stack data isn't exposed to the user. This patch adds such an initialization to the two places where usbfs raises signals. Signed-off-by: N Alan Stern <stern@rowland.harvard.edu> Reported-by: N Dave Mielke <dave@mielke.cc> CC: <stable@vger.kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
f0c2b681 · Alan Stern · Greg Kroah-Hartman · 27082e26 · f0c2b681
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

drivers/usb/core/devio.c drivers/usb/core/devio.c +2 -0

未找到文件。
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -501,6 +501,7 @@ static void async_completed(struct urb *urb)
 	as->status = urb->status;
 	signr = as->signr;
 	if (signr) {
+		memset(&sinfo, 0, sizeof(sinfo));
 		sinfo.si_signo = as->signr;
 		sinfo.si_errno = as->status;
 		sinfo.si_code = SI_ASYNCIO;
@@ -2382,6 +2383,7 @@ static void usbdev_remove(struct usb_device *udev)
 		wake_up_all(&ps->wait);
 		list_del_init(&ps->list);
 		if (ps->discsignr) {
+			memset(&sinfo, 0, sizeof(sinfo));
 			sinfo.si_signo = ps->discsignr;
 			sinfo.si_errno = EPIPE;
 			sinfo.si_code = SI_ASYNCIO;