scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

When calling SG_GET_REQUEST_TABLE ioctl only a half-filled table is
returned; the remaining part will then contain stale kernel memory
information.  This patch zeroes out the entire table to avoid this
issue.

Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

1 files changed, 2 insertions, 3 deletions

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 1acdb6e03999..0419c2298eab 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -839,7 +839,6 @@ sg_fill_request_table(Sg_fd *sfp, sg_req_info_t *rinfo)
         list_for_each_entry(srp, &sfp->rq_list, entry) {
                 if (val > SG_MAX_QUEUE)
                         break;
-                memset(&rinfo[val], 0, SZ_SG_REQ_INFO);
                 rinfo[val].req_state = srp->done + 1;
                 rinfo[val].problem =
                         srp->header.masked_status &
@@ -1047,8 +1046,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
                 else {
                         sg_req_info_t *rinfo;
 
-                        rinfo = kmalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
-                                                                GFP_KERNEL);
+                        rinfo = kzalloc(SZ_SG_REQ_INFO * SG_MAX_QUEUE,
+                                        GFP_KERNEL);
                         if (!rinfo)
                                 return -ENOMEM;
                         read_lock_irqsave(&sfp->rq_list_lock, iflags);