Merge tag 'firewire-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394

Pull firewire fix from Stefan Richter: "IEEE 1394 (FireWire) subsystem fix: The character device file interface for raw 1394 I/O took uninitialized kernel stack as substitute for missing ioctl() argument data. This could partially show up in subsequent read() output" * tag 'firewire-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394: firewire: cdev: prevent kernel stack leaking into ioctl arguments
author: Linus Torvalds <torvalds@linux-foundation.org> 2014-11-14 15:44:48 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-11-14 15:44:48 -0500
commit: f720d7df993b2cd62c723f1803bc8330871d478f (patch)
tree: b9e7258adc77964f7ec1531926c90cfa78f11447
parent: 3865efcb14f46a5e01852d30a34b2c0dce076b3e (diff)
parent: eaca2d8e75e90a70a63a6695c9f61932609db212 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 5d997a33907e..2a3973a7c441 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client *client,
            _IOC_SIZE(cmd) > sizeof(buffer))
                return -ENOTTY;
-        if (_IOC_DIR(cmd) == _IOC_READ)
+        memset(&buffer, 0, sizeof(buffer));
-                memset(&buffer, 0, _IOC_SIZE(cmd));
        if (_IOC_DIR(cmd) & _IOC_WRITE)
                if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))
author	Linus Torvalds <torvalds@linux-foundation.org>	2014-11-14 15:44:48 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-11-14 15:44:48 -0500
commit	f720d7df993b2cd62c723f1803bc8330871d478f (patch)
tree	b9e7258adc77964f7ec1531926c90cfa78f11447
parent	3865efcb14f46a5e01852d30a34b2c0dce076b3e (diff)
parent	eaca2d8e75e90a70a63a6695c9f61932609db212 (diff)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index 5d997a33907e..2a3973a7c441 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c
@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client *client,
1637	_IOC_SIZE(cmd) > sizeof(buffer))	1637	_IOC_SIZE(cmd) > sizeof(buffer))
1638	return -ENOTTY;	1638	return -ENOTTY;
1639		1639
1640	if (_IOC_DIR(cmd) == _IOC_READ)	1640	memset(&buffer, 0, sizeof(buffer));
1641	memset(&buffer, 0, _IOC_SIZE(cmd));
1642		1641
1643	if (_IOC_DIR(cmd) & _IOC_WRITE)	1642	if (_IOC_DIR(cmd) & _IOC_WRITE)
1644	if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))	1643	if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd)))