zesty SRU, LP#1668726
Seth Forshee
seth.forshee at canonical.com
Fri Jun 23 12:54:31 UTC 2017
On Fri, Jun 23, 2017 at 11:21:15AM +0100, Colin Ian King wrote:
> CoverityScan picked up a regression with the patches for LP#1668726
>
> CID 1435473 (#1 of 1): Uninitialized scalar variable (UNINIT)59.
> uninit_use_in_call: Using uninitialized value reply. Field
> reply.sense_data_size is uninitialized when calling copy_to_user.
>
> 967 if (copy_to_user(user_reply, &reply,
> 968 sizeof(struct aac_srb_reply))) {
> 969 dprintk((KERN_DEBUG"aacraid: Copy to user
> failed\n"));
> 970 rcode = -EFAULT;
> 971 goto cleanup;
My interpretation of the code is that reply.sense_response_data_len and
reply.sense_data are only meant to contain data about failures, i.e.
when reply.srb_status != SRB_STATUS_SUCCESS. So this might not have been
a problem, except that reply is a stack variable copied to userspace, so
any uninitialized values in the struct represent a possible information
leak.
This is also a bug upstream. So I'll prepare a fix and submit it for
Ubuntu and also upstream.
Thank Colin.
Seth
More information about the kernel-team
mailing list