From patchwork Fri Jun 23 14:24:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 780026 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3wvLLg4slCz9s1h; Sat, 24 Jun 2017 00:24:43 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b="cYx9zvRK"; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1dOPVo-0003Zf-KC; Fri, 23 Jun 2017 14:24:40 +0000 Received: from mail-it0-f41.google.com ([209.85.214.41]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dOPVg-0003Yx-Lp for kernel-team@lists.ubuntu.com; Fri, 23 Jun 2017 14:24:32 +0000 Received: by mail-it0-f41.google.com with SMTP id b205so9087758itg.1 for ; Fri, 23 Jun 2017 07:24:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=ZpCxS6SB4qTfKDPsYluV4i4gqFB2Y7mgl56wusvPG8s=; b=cYx9zvRKQ85gyFhHqTqgPwocW9xKoAG9VeUzJIiLKPp+5ssURtZJ8aZuyqKcUuLm0G eF3WRogFweXmR0xaRZDRz9PF5WN4mEvr9EolyasLpqqartClUJcTMJElMy0QkIb6LJrt hQG6FJOOkUhi6oMMdWrJRYgpNd6k4IVrtXR706vRR1UHdT9NMuaf9n5OXFxQOs3a6KuQ l5/2SH8Pc+zW+asi24Tfh87qST1H5dy2Z5njyyP0qZUqoljvhXJhWXyq6AbYvRPframi wBXeSE8jKkL0Gayt6Xklhb2CHRGJEQ+KFeRrDuROOV1FLMCFGDrueHq29dmAM9sIaX+A szKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ZpCxS6SB4qTfKDPsYluV4i4gqFB2Y7mgl56wusvPG8s=; b=jibyt6XpeVxAk6h2tNMaCWp9Gaysbh5gy2X41brupPgwLBmwVvpgcwJEnieZPRzU29 z3y0AsK0xJdoydW91fJ5WWJREotBPsBug3yhT4WpHlpNmO9OUNJRuXgtYo0Dkn0Gq9EZ myXjdw14UlLAhR5i+2z/gMzId5tsGN9e4tsBN50kh0buMElIRgtZT7G+dDi0zu65khrx KlHPtSXp/XaUGnUKLa2rpVTRFd8fkVsRkPFDOPMfB65OwE0X8ZdlxpL1+Cu7lJKHGigh mDVnybBaENtxgsftCddPK8qZ12eb7ObxDiwmvtphB1vllZLBEJFgMzvhcFACD11+HBbv frmw== X-Gm-Message-State: AKS2vOxriEMD71m/XCAAPVEUGEgaB0vRvP63reAG4xbPvCIJzSUjeuxZ fHmqEvJG5BDc6cM+P0Y= X-Received: by 10.36.26.21 with SMTP id 21mr7665007iti.6.1498227871344; Fri, 23 Jun 2017 07:24:31 -0700 (PDT) Received: from localhost ([2605:a601:aa7:8920:5d6a:9525:cb9d:a59e]) by smtp.gmail.com with ESMTPSA id e34sm3138202ioj.62.2017.06.23.07.24.30 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 23 Jun 2017 07:24:30 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1][Zesty] UBUNTU: SAUCE: scsi: aacraid: Don't copy uninitialized stack memory to userspace Date: Fri, 23 Jun 2017 09:24:28 -0500 Message-Id: <20170623142428.817-2-seth.forshee@canonical.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170623142428.817-1-seth.forshee@canonical.com> References: <20170623142428.817-1-seth.forshee@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com BugLink: http://bugs.launchpad.net/bugs/1700077 Both aac_send_raw_srb() and aac_get_hba_info() may copy stack allocated structs to userspace without initializing all members of these structs. Clear out this memory to prevent information leaks. Signed-off-by: Seth Forshee Acked-by: Colin Ian King Acked-by: Stefan Bader --- drivers/scsi/aacraid/commctrl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c index 106b9332f718..176220ae6961 100644 --- a/drivers/scsi/aacraid/commctrl.c +++ b/drivers/scsi/aacraid/commctrl.c @@ -949,6 +949,7 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) &((struct aac_native_hba *)srbfib->hw_fib_va)->resp.err; struct aac_srb_reply reply; + memset(&reply, 0, sizeof(reply)); reply.status = ST_OK; if (srbfib->flags & FIB_CONTEXT_FLAG_FASTRESP) { /* fast response */ @@ -1018,6 +1019,7 @@ static int aac_get_hba_info(struct aac_dev *dev, void __user *arg) { struct aac_hba_info hbainfo; + memset(&hbainfo, 0, sizeof(hbainfo)); hbainfo.adapter_number = (u8) dev->id; hbainfo.system_io_bus_number = dev->pdev->bus->number; hbainfo.device_number = (dev->pdev->devfn >> 3);