zesty SRU, LP#1668726

Seth Forshee seth.forshee at canonical.com
Fri Jun 23 12:54:31 UTC 2017

On Fri, Jun 23, 2017 at 11:21:15AM +0100, Colin Ian King wrote:
> CoverityScan picked up a regression with the patches for LP#1668726
>     CID 1435473 (#1 of 1): Uninitialized scalar variable (UNINIT)59.
> uninit_use_in_call: Using uninitialized value reply. Field
> reply.sense_data_size is uninitialized when calling copy_to_user.
>  967                if (copy_to_user(user_reply, &reply,
>  968                        sizeof(struct aac_srb_reply))) {
>  969                        dprintk((KERN_DEBUG"aacraid: Copy to user
> failed\n"));
>  970                        rcode = -EFAULT;
>  971                        goto cleanup;

My interpretation of the code is that reply.sense_response_data_len and
reply.sense_data are only meant to contain data about failures, i.e.
when reply.srb_status != SRB_STATUS_SUCCESS. So this might not have been
a problem, except that reply is a stack variable copied to userspace, so
any uninitialized values in the struct represent a possible information

This is also a bug upstream. So I'll prepare a fix and submit it for
Ubuntu and also upstream.

Thank Colin.


More information about the kernel-team mailing list