Bug 196553 - Linux kernel: drivers/tty/cyclades.c: cy_get_serial_info stack infoleak
Summary: Linux kernel: drivers/tty/cyclades.c: cy_get_serial_info stack infoleak
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 low
Assignee: drivers_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-01 09:28 UTC by zhh
Modified: 2017-08-01 09:28 UTC (History)
1 user (show)

See Also:
Kernel Version: 4.12.2
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description zhh 2017-08-01 09:28:03 UTC 
drivers\tty\cyclades.c

The stack object "tmp" has a total size of 17*4=72 bytes. Its last 2 bytes are padding bytes after "iomem_reg_shift" which are not initialized and leaked to userland via "copy_to_user".


@@ -2263,19 +2263,18 @@ static int cy_get_serial_info(struct cyclades_port *info,
 		struct serial_struct __user *retinfo)
 {
 	struct cyclades_card *cinfo = info->card;
-	struct serial_struct tmp;
-	
-	memset( &tmp, 0, sizeof(struct serial_struct) );
-	tmp.type = info->type;
-	tmp.line = info->line;
-	tmp.port = (info->card - cy_card) * 0x100 + info->line - cinfo->first_line;
-	tmp.irq = cinfo->irq;
-	tmp.flags = info->port.flags;
-	tmp.close_delay = info->port.close_delay;
-	tmp.closing_wait = info->port.closing_wait;
-	tmp.baud_base = info->baud;
-	tmp.custom_divisor = info->custom_divisor;
-	
+	struct serial_struct tmp = {
+		.type = info->type,
+		.line = info->line,
+		.port = (info->card - cy_card) * 0x100 + info->line -
+			cinfo->first_line,
+		.irq = cinfo->irq,
+		.flags = info->port.flags,
+		.close_delay = info->port.close_delay,
+		.closing_wait = info->port.closing_wait,
+		.baud_base = info->baud,
+		.custom_divisor = info->custom_divisor,
+	};
 	return copy_to_user(retinfo, &tmp, sizeof(*retinfo)) ? -EFAULT : 0;
 }
Note You need to log in before you can comment on or make changes to this bug.