diff options
author | Alan Stern <stern@rowland.harvard.edu> | 2005-07-29 15:16:58 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-07-29 16:12:52 -0400 |
commit | fe0410c7f43e133e156e54e3156392e800bedc21 (patch) | |
tree | 0c082c02228d3ec92f7630f51e01f3b4085b5fd7 | |
parent | 279e1545a1350b9147ae884f848ffc8b7db18967 (diff) |
[PATCH] USB: usbfs: Don't leak uninitialized data
This patch fixes an information leak in the usbfs snoop facility:
uninitialized data from __get_free_page can be returned to userspace and
written to the system log. It also improves the snoop output by printing
the wLength value.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | drivers/usb/core/devio.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 787c27a63c51..f86bf1454e21 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c | |||
@@ -569,8 +569,11 @@ static int proc_control(struct dev_state *ps, void __user *arg) | |||
569 | free_page((unsigned long)tbuf); | 569 | free_page((unsigned long)tbuf); |
570 | return -EINVAL; | 570 | return -EINVAL; |
571 | } | 571 | } |
572 | snoop(&dev->dev, "control read: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", | 572 | snoop(&dev->dev, "control read: bRequest=%02x " |
573 | ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex); | 573 | "bRrequestType=%02x wValue=%04x " |
574 | "wIndex=%04x wLength=%04x\n", | ||
575 | ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, | ||
576 | ctrl.wIndex, ctrl.wLength); | ||
574 | 577 | ||
575 | usb_unlock_device(dev); | 578 | usb_unlock_device(dev); |
576 | i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType, | 579 | i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType, |
@@ -579,11 +582,11 @@ static int proc_control(struct dev_state *ps, void __user *arg) | |||
579 | if ((i > 0) && ctrl.wLength) { | 582 | if ((i > 0) && ctrl.wLength) { |
580 | if (usbfs_snoop) { | 583 | if (usbfs_snoop) { |
581 | dev_info(&dev->dev, "control read: data "); | 584 | dev_info(&dev->dev, "control read: data "); |
582 | for (j = 0; j < ctrl.wLength; ++j) | 585 | for (j = 0; j < i; ++j) |
583 | printk ("%02x ", (unsigned char)(tbuf)[j]); | 586 | printk ("%02x ", (unsigned char)(tbuf)[j]); |
584 | printk("\n"); | 587 | printk("\n"); |
585 | } | 588 | } |
586 | if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) { | 589 | if (copy_to_user(ctrl.data, tbuf, i)) { |
587 | free_page((unsigned long)tbuf); | 590 | free_page((unsigned long)tbuf); |
588 | return -EFAULT; | 591 | return -EFAULT; |
589 | } | 592 | } |
@@ -595,8 +598,11 @@ static int proc_control(struct dev_state *ps, void __user *arg) | |||
595 | return -EFAULT; | 598 | return -EFAULT; |
596 | } | 599 | } |
597 | } | 600 | } |
598 | snoop(&dev->dev, "control write: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", | 601 | snoop(&dev->dev, "control write: bRequest=%02x " |
599 | ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex); | 602 | "bRrequestType=%02x wValue=%04x " |
603 | "wIndex=%04x wLength=%04x\n", | ||
604 | ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, | ||
605 | ctrl.wIndex, ctrl.wLength); | ||
600 | if (usbfs_snoop) { | 606 | if (usbfs_snoop) { |
601 | dev_info(&dev->dev, "control write: data: "); | 607 | dev_info(&dev->dev, "control write: data: "); |
602 | for (j = 0; j < ctrl.wLength; ++j) | 608 | for (j = 0; j < ctrl.wLength; ++j) |