mtd: mtdchar: fix information leak to userland

Structure mtd_info_user is copied to userland with padding byted between "type" and "flags" fields uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
author: Vasiliy Kulikov <segooon@gmail.com> 2010-11-06 10:41:24 -0400
committer: David Woodhouse <David.Woodhouse@intel.com> 2010-12-03 11:29:12 -0500
commit: a0c5a3944ce121bb2417c771f77b18485cd84e18 (patch)
tree: 877da9f538e5e53476f22f9d90212116abff8356 /drivers/mtd
parent: ac80dac00f8630803dc0c7f8fbe6983a8e2a8b5f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 4759d827e8c7..cad8fcc7b239 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
        }
        case MEMGETINFO:
+                memset(&info, 0, sizeof(info));
                info.type       = mtd->type;
                info.flags      = mtd->flags;
                info.size       = mtd->size;
@@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
                info.oobsize    = mtd->oobsize;
                /* The below fields are obsolete */
                info.ecctype    = -1;
-                info.eccsize    = 0;
                if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
                        return -EFAULT;
                break;
author	Vasiliy Kulikov <segooon@gmail.com>	2010-11-06 10:41:24 -0400
committer	David Woodhouse <David.Woodhouse@intel.com>	2010-12-03 11:29:12 -0500
commit	a0c5a3944ce121bb2417c771f77b18485cd84e18 (patch)
tree	877da9f538e5e53476f22f9d90212116abff8356 /drivers/mtd
parent	ac80dac00f8630803dc0c7f8fbe6983a8e2a8b5f (diff)