Bug 196553
| Summary: | Linux kernel: drivers/tty/cyclades.c: cy_get_serial_info stack infoleak | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | zhh (sohu0106) |
| Component: | Other | Assignee: | drivers_other |
| Status: | NEW --- | ||
| Severity: | low | CC: | sohu0106 |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 4.12.2 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
drivers\tty\cyclades.c The stack object "tmp" has a total size of 17*4=72 bytes. Its last 2 bytes are padding bytes after "iomem_reg_shift" which are not initialized and leaked to userland via "copy_to_user". @@ -2263,19 +2263,18 @@ static int cy_get_serial_info(struct cyclades_port *info, struct serial_struct __user *retinfo) { struct cyclades_card *cinfo = info->card; - struct serial_struct tmp; - - memset( &tmp, 0, sizeof(struct serial_struct) ); - tmp.type = info->type; - tmp.line = info->line; - tmp.port = (info->card - cy_card) * 0x100 + info->line - cinfo->first_line; - tmp.irq = cinfo->irq; - tmp.flags = info->port.flags; - tmp.close_delay = info->port.close_delay; - tmp.closing_wait = info->port.closing_wait; - tmp.baud_base = info->baud; - tmp.custom_divisor = info->custom_divisor; - + struct serial_struct tmp = { + .type = info->type, + .line = info->line, + .port = (info->card - cy_card) * 0x100 + info->line - + cinfo->first_line, + .irq = cinfo->irq, + .flags = info->port.flags, + .close_delay = info->port.close_delay, + .closing_wait = info->port.closing_wait, + .baud_base = info->baud, + .custom_divisor = info->custom_divisor, + }; return copy_to_user(retinfo, &tmp, sizeof(*retinfo)) ? -EFAULT : 0; }