All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch] HID: hiddev: potential info leak in hiddev_ioctl()
@ 2011-09-23  6:21 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2011-09-23  6:21 UTC (permalink / raw)
  To: Jiri Kosina
  Cc: linux-usb-u79uwXL29TY76Z2rM5mHXA,
	linux-input-u79uwXL29TY76Z2rM5mHXA,
	kernel-janitors-u79uwXL29TY76Z2rM5mHXA

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

In this case, the hiddev_devinfo struct has a two byte hole.

struct hiddev_devinfo {
        __u32                      bustype;              /*     0     4 */
        __u32                      busnum;               /*     4     4 */
        __u32                      devnum;               /*     8     4 */
        __u32                      ifnum;                /*    12     4 */
        __s16                      vendor;               /*    16     2 */
        __s16                      product;              /*    18     2 */
        __s16                      version;              /*    20     2 */

        /* XXX 2 bytes hole, try to pack */

        __u32                      num_applications;     /*    24     4 */

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index 7c1188b..4ef02b2 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -641,6 +641,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 			struct usb_device *dev = hid_to_usb_dev(hid);
 			struct usbhid_device *usbhid = hid->driver_data;
 
+			memset(&dinfo, 0, sizeof(dinfo));
+
 			dinfo.bustype = BUS_USB;
 			dinfo.busnum = dev->bus->busnum;
 			dinfo.devnum = dev->devnum;

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [patch] HID: hiddev: potential info leak in hiddev_ioctl()
@ 2011-09-23  6:21 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2011-09-23  6:21 UTC (permalink / raw)
  To: Jiri Kosina
  Cc: linux-usb-u79uwXL29TY76Z2rM5mHXA,
	linux-input-u79uwXL29TY76Z2rM5mHXA,
	kernel-janitors-u79uwXL29TY76Z2rM5mHXA

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

In this case, the hiddev_devinfo struct has a two byte hole.

struct hiddev_devinfo {
        __u32                      bustype;              /*     0     4 */
        __u32                      busnum;               /*     4     4 */
        __u32                      devnum;               /*     8     4 */
        __u32                      ifnum;                /*    12     4 */
        __s16                      vendor;               /*    16     2 */
        __s16                      product;              /*    18     2 */
        __s16                      version;              /*    20     2 */

        /* XXX 2 bytes hole, try to pack */

        __u32                      num_applications;     /*    24     4 */

Signed-off-by: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>

diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index 7c1188b..4ef02b2 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -641,6 +641,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 			struct usb_device *dev = hid_to_usb_dev(hid);
 			struct usbhid_device *usbhid = hid->driver_data;
 
+			memset(&dinfo, 0, sizeof(dinfo));
+
 			dinfo.bustype = BUS_USB;
 			dinfo.busnum = dev->bus->busnum;
 			dinfo.devnum = dev->devnum;
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [patch] HID: hiddev: potential info leak in hiddev_ioctl()
  2011-09-23  6:21 ` Dan Carpenter
@ 2011-09-26 23:34   ` Jiri Kosina
  -1 siblings, 0 replies; 4+ messages in thread
From: Jiri Kosina @ 2011-09-26 23:34 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linux-usb, linux-input, kernel-janitors

On Fri, 23 Sep 2011, Dan Carpenter wrote:

> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
> 
> In this case, the hiddev_devinfo struct has a two byte hole.
> 
> struct hiddev_devinfo {
>         __u32                      bustype;              /*     0     4 */
>         __u32                      busnum;               /*     4     4 */
>         __u32                      devnum;               /*     8     4 */
>         __u32                      ifnum;                /*    12     4 */
>         __s16                      vendor;               /*    16     2 */
>         __s16                      product;              /*    18     2 */
>         __s16                      version;              /*    20     2 */
> 
>         /* XXX 2 bytes hole, try to pack */
> 
>         __u32                      num_applications;     /*    24     4 */
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
> index 7c1188b..4ef02b2 100644
> --- a/drivers/hid/usbhid/hiddev.c
> +++ b/drivers/hid/usbhid/hiddev.c
> @@ -641,6 +641,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  			struct usb_device *dev = hid_to_usb_dev(hid);
>  			struct usbhid_device *usbhid = hid->driver_data;
>  
> +			memset(&dinfo, 0, sizeof(dinfo));
> +
>  			dinfo.bustype = BUS_USB;
>  			dinfo.busnum = dev->bus->busnum;
>  			dinfo.devnum = dev->devnum;

Applied, thanks Dan.

-- 
Jiri Kosina
SUSE Labs

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch] HID: hiddev: potential info leak in hiddev_ioctl()
@ 2011-09-26 23:34   ` Jiri Kosina
  0 siblings, 0 replies; 4+ messages in thread
From: Jiri Kosina @ 2011-09-26 23:34 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linux-usb, linux-input, kernel-janitors

On Fri, 23 Sep 2011, Dan Carpenter wrote:

> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
> 
> In this case, the hiddev_devinfo struct has a two byte hole.
> 
> struct hiddev_devinfo {
>         __u32                      bustype;              /*     0     4 */
>         __u32                      busnum;               /*     4     4 */
>         __u32                      devnum;               /*     8     4 */
>         __u32                      ifnum;                /*    12     4 */
>         __s16                      vendor;               /*    16     2 */
>         __s16                      product;              /*    18     2 */
>         __s16                      version;              /*    20     2 */
> 
>         /* XXX 2 bytes hole, try to pack */
> 
>         __u32                      num_applications;     /*    24     4 */
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
> index 7c1188b..4ef02b2 100644
> --- a/drivers/hid/usbhid/hiddev.c
> +++ b/drivers/hid/usbhid/hiddev.c
> @@ -641,6 +641,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
>  			struct usb_device *dev = hid_to_usb_dev(hid);
>  			struct usbhid_device *usbhid = hid->driver_data;
>  
> +			memset(&dinfo, 0, sizeof(dinfo));
> +
>  			dinfo.bustype = BUS_USB;
>  			dinfo.busnum = dev->bus->busnum;
>  			dinfo.devnum = dev->devnum;

Applied, thanks Dan.

-- 
Jiri Kosina
SUSE Labs

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-09-26 23:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-23  6:21 [patch] HID: hiddev: potential info leak in hiddev_ioctl() Dan Carpenter
2011-09-23  6:21 ` Dan Carpenter
2011-09-26 23:34 ` Jiri Kosina
2011-09-26 23:34   ` Jiri Kosina

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.