[PATCH 3.8 88/91] Staging: sb105x: info leak in mp_get_count()

Kamal Mostafa kamal at canonical.com
Fri Nov 8 02:15:43 UTC 2013 -stable review patch.  If anyone has any objections, please let me know.


From: Dan Carpenter <dan.carpenter at oracle.com>

commit a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 upstream.

The icount.reserved[] array isn't initialized so it leaks stack
information to userspace.

Reported-by: Nico Golde <nico at ngolde.de>
Reported-by: Fabian Yamaguchi <fabs at goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
 drivers/staging/sb105x/sb_pci_mp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/sb105x/sb_pci_mp.c b/drivers/staging/sb105x/sb_pci_mp.c
index 9464f38..0f5e262 100644
--- a/drivers/staging/sb105x/sb_pci_mp.c
+++ b/drivers/staging/sb105x/sb_pci_mp.c
@@ -1063,7 +1063,7 @@ static int mp_wait_modem_status(struct sb_uart_state *state, unsigned long arg)
 static int mp_get_count(struct sb_uart_state *state, struct serial_icounter_struct *icnt)
-	struct serial_icounter_struct icount;
+	struct serial_icounter_struct icount = {};
 	struct sb_uart_icount cnow;
 	struct sb_uart_port *port = state->port;

More information about the kernel-team mailing list