Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fe0410c7 authored by Alan Stern's avatar Alan Stern Committed by Linus Torvalds
Browse files

[PATCH] USB: usbfs: Don't leak uninitialized data 



This patch fixes an information leak in the usbfs snoop facility:
uninitialized data from __get_free_page can be returned to userspace and
written to the system log.  It also improves the snoop output by printing
the wLength value.

Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 279e1545

drivers/usb/core/devio.c

+12 −6
Original line number Diff line number Diff line
@@ -569,8 +569,11 @@ static int proc_control(struct dev_state *ps, void __user *arg) 
			free_page((unsigned long)tbuf);

			return -EINVAL;

		}

		snoop(&dev->dev, "control read: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", 

			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);

		snoop(&dev->dev, "control read: bRequest=%02x "

				"bRrequestType=%02x wValue=%04x "

				"wIndex=%04x wLength=%04x\n",

			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,

				ctrl.wIndex, ctrl.wLength);



		usb_unlock_device(dev);

		i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), ctrl.bRequest, ctrl.bRequestType,
@@ -579,11 +582,11 @@ static int proc_control(struct dev_state *ps, void __user *arg) 
		if ((i > 0) && ctrl.wLength) {

			if (usbfs_snoop) {

				dev_info(&dev->dev, "control read: data ");

				for (j = 0; j < ctrl.wLength; ++j)

				for (j = 0; j < i; ++j)

					printk ("%02x ", (unsigned char)(tbuf)[j]);

				printk("\n");

			}

			if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {

			if (copy_to_user(ctrl.data, tbuf, i)) {

				free_page((unsigned long)tbuf);

				return -EFAULT;

			}
@@ -595,8 +598,11 @@ static int proc_control(struct dev_state *ps, void __user *arg) 
				return -EFAULT;

			}

		}

		snoop(&dev->dev, "control write: bRequest=%02x bRrequestType=%02x wValue=%04x wIndex=%04x\n", 

			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, ctrl.wIndex);

		snoop(&dev->dev, "control write: bRequest=%02x "

				"bRrequestType=%02x wValue=%04x "

				"wIndex=%04x wLength=%04x\n",

			ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,

				ctrl.wIndex, ctrl.wLength);

		if (usbfs_snoop) {

			dev_info(&dev->dev, "control write: data: ");

			for (j = 0; j < ctrl.wLength; ++j)