Commit 58f09e00 authored Sep 24, 2013 by Dan Carpenter Committed by Linus Torvalds Sep 24, 2013

cciss: fix info leak in cciss_ioctl32_passthru()



The arg64 struct has a hole after ->buf_size which isn't cleared.  Or if
any of the calls to copy_from_user() fail then that would cause an
information leak as well.

This was assigned CVE-2013-2147.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 627aad1c

drivers/block/cciss.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1189,6 +1189,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode,
		int err;
		u32 cp;

		memset(&arg64, 0, sizeof(arg64));
		err = 0;
		err \|=
		copy_from_user(&arg64.LUN_info, &arg32->LUN_info,