[PATCH] bluetooth: fix leak of uninitialized data to userspace

From: Vegard Nossum
Date: Sun Oct 05 2008 - 11:25:45 EST

Next message: Thomas Gleixner: "[PATCH] x86, smpboot: remove additional_cpus"
Previous message: Ingo Molnar: "Re: <PING> Re: [patch x86/core] x86: allow number of additionalhotplug CPUs to be set at compile time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

struct hci_dev_list_req {
__u16 dev_num;
struct hci_dev_req dev_req[0]; /* hci_dev_req structures */
};

sizeof(struct hci_dev_list_req) == 4, so the two bytes immediately
following "dev_num" will never be initialized. When this structure
is copied to userspace, these uninitialized bytes are leaked.

Fix by using kzalloc() instead of kmalloc(). Found using kmemcheck.

Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxx>
---
net/bluetooth/hci_core.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 278a3ac..7bb0f1c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -756,7 +756,7 @@ int hci_get_dev_list(void __user *arg)

size = sizeof(*dl) + dev_num * sizeof(*dr);

- if (!(dl = kmalloc(size, GFP_KERNEL)))
+ if (!(dl = kzalloc(size, GFP_KERNEL)))
return -ENOMEM;

dr = dl->dev_req;
--
1.5.5.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Gleixner: "[PATCH] x86, smpboot: remove additional_cpus"
Previous message: Ingo Molnar: "Re: <PING> Re: [patch x86/core] x86: allow number of additionalhotplug CPUs to be set at compile time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]