29 lines
1005 B
Plaintext
29 lines
1005 B
Plaintext
From: David Herrmann <dh.herrmann@gmail.com>
|
|
Date: Tue, 26 Nov 2013 13:58:18 +0100
|
|
Subject: HID: uhid: fix leak for 64/32 UHID_CREATE
|
|
Origin: http://mid.gmane.org/1385470698-6036-1-git-send-email-dh.herrmann@gmail.com
|
|
|
|
UHID allows short writes so user-space can omit unused fields. We
|
|
automatically set them to 0 in the kernel. However, the 64/32 bit
|
|
compat-handler didn't do that in the UHID_CREATE fallback. This will
|
|
reveal random kernel heap data (of random size, even) to user-space.
|
|
|
|
Reported-by: Ben Hutchings <ben@decadent.org.uk>
|
|
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
|
|
Cc: stable@vger.kernel.org
|
|
---
|
|
drivers/hid/uhid.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
--- a/drivers/hid/uhid.c
|
|
+++ b/drivers/hid/uhid.c
|
|
@@ -287,7 +287,7 @@ static int uhid_event_from_user(const ch
|
|
*/
|
|
struct uhid_create_req_compat *compat;
|
|
|
|
- compat = kmalloc(sizeof(*compat), GFP_KERNEL);
|
|
+ compat = kzalloc(sizeof(*compat), GFP_KERNEL);
|
|
if (!compat)
|
|
return -ENOMEM;
|
|
|