aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlan Stern <stern@rowland.harvard.edu>2005-07-29 15:16:58 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-07-29 16:12:52 -0400
commitfe0410c7f43e133e156e54e3156392e800bedc21 (patch)
tree0c082c02228d3ec92f7630f51e01f3b4085b5fd7
parent279e1545a1350b9147ae884f848ffc8b7db18967 (diff)
[PATCH] USB: usbfs: Don't leak uninitialized data
This patch fixes an information leak in the usbfs snoop facility: uninitialized data from __get_free_page can be returned to userspace and written to the system log. It also improves the snoop output by printing the wLength value. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--drivers/usb/core/devio.c18
1 files changed, 12 insertions, 6 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 787c27a63c51..f86bf1454e21 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -569,8 +569,11 @@ static int proc_control(struct dev_state *ps, void __user *arg)
569 free_page((unsigned long)tbuf); 569 free_page((unsigned long)tbuf);
570 return -EINVAL; 570 return -EINVAL;
571 } 571 }
572 snoop(&dev->dev, "control read: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", 572 snoop(&dev->dev, "control read: bRequest=%02x "
573 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex); 573 "bRrequestType=%02x wValue=%04x "
574 "wIndex=%04x wLength=%04x\n",
575 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
576 ctrl.wIndex, ctrl.wLength);
574 577
575 usb_unlock_device(dev); 578 usb_unlock_device(dev);
576 i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType, 579 i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
@@ -579,11 +582,11 @@ static int proc_control(struct dev_state *ps, void __user *arg)
579 if ((i > 0) && ctrl.wLength) { 582 if ((i > 0) && ctrl.wLength) {
580 if (usbfs_snoop) { 583 if (usbfs_snoop) {
581 dev_info(&dev->dev, "control read: data "); 584 dev_info(&dev->dev, "control read: data ");
582 for (j = 0; j < ctrl.wLength; ++j) 585 for (j = 0; j < i; ++j)
583 printk ("%02x ", (unsigned char)(tbuf)[j]); 586 printk ("%02x ", (unsigned char)(tbuf)[j]);
584 printk("\n"); 587 printk("\n");
585 } 588 }
586 if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) { 589 if (copy_to_user(ctrl.data, tbuf, i)) {
587 free_page((unsigned long)tbuf); 590 free_page((unsigned long)tbuf);
588 return -EFAULT; 591 return -EFAULT;
589 } 592 }
@@ -595,8 +598,11 @@ static int proc_control(struct dev_state *ps, void __user *arg)
595 return -EFAULT; 598 return -EFAULT;
596 } 599 }
597 } 600 }
598 snoop(&dev->dev, "control write: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", 601 snoop(&dev->dev, "control write: bRequest=%02x "
599 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex); 602 "bRrequestType=%02x wValue=%04x "
603 "wIndex=%04x wLength=%04x\n",
604 ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
605 ctrl.wIndex, ctrl.wLength);
600 if (usbfs_snoop) { 606 if (usbfs_snoop) {
601 dev_info(&dev->dev, "control write: data: "); 607 dev_info(&dev->dev, "control write: data: ");
602 for (j = 0; j < ctrl.wLength; ++j) 608 for (j = 0; j < ctrl.wLength; ++j)