diff options
author | Vasiliy Kulikov <segooon@gmail.com> | 2010-11-06 15:41:24 +0100 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-03 17:29:12 +0100 |
commit | a0c5a3944ce121bb2417c771f77b18485cd84e18 (patch) | |
tree | 877da9f538e5e53476f22f9d90212116abff8356 /drivers | |
parent | mtd: onenand: implement cache program feature for 4KiB page onenand (diff) | |
download | linux-a0c5a3944ce121bb2417c771f77b18485cd84e18.tar.xz linux-a0c5a3944ce121bb2417c771f77b18485cd84e18.zip |
mtd: mtdchar: fix information leak to userland
Structure mtd_info_user is copied to userland with padding byted
between "type" and "flags" fields uninitialized. It leads to leaking
of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/mtd/mtdchar.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index 4759d827e8c7..cad8fcc7b239 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) } case MEMGETINFO: + memset(&info, 0, sizeof(info)); info.type = mtd->type; info.flags = mtd->flags; info.size = mtd->size; @@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg) info.oobsize = mtd->oobsize; /* The below fields are obsolete */ info.ecctype = -1; - info.eccsize = 0; if (copy_to_user(argp, &info, sizeof(struct mtd_info_user))) return -EFAULT; break; |