usb: core: fix information leak to userland

Structure usbdevfs_connectinfo is copied to userland with padding byted after "slow" field uninitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Vasiliy Kulikov <segooon@gmail.com> 2010-11-06 10:41:28 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-11-11 10:14:07 -0500
commit: 886ccd4520064408ce5876cfe00554ce52ecf4a7 (patch)
tree: f73cf257c20fed17af1c39a5cb754fca81c36d25 /drivers/usb
parent: eca67aaeebd6e5d22b0d991af1dd0424dc703bfb (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index f1aaff6202a5..045bb4b823e1 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -965,10 +965,11 @@ static int proc_getdriver(struct dev_state *ps, void __user *arg)
 static int proc_connectinfo(struct dev_state *ps, void __user *arg)
 {
-        struct usbdevfs_connectinfo ci;
+        struct usbdevfs_connectinfo ci = {
+                .devnum = ps->dev->devnum,
+                .slow = ps->dev->speed == USB_SPEED_LOW
+        };
-        ci.devnum = ps->dev->devnum;
-        ci.slow = ps->dev->speed == USB_SPEED_LOW;
        if (copy_to_user(arg, &ci, sizeof(ci)))
                return -EFAULT;
        return 0;
author	Vasiliy Kulikov <segooon@gmail.com>	2010-11-06 10:41:28 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-11-11 10:14:07 -0500
commit	886ccd4520064408ce5876cfe00554ce52ecf4a7 (patch)
tree	f73cf257c20fed17af1c39a5cb754fca81c36d25 /drivers/usb
parent	eca67aaeebd6e5d22b0d991af1dd0424dc703bfb (diff)