zesty SRU, LP#1668726
Colin Ian King
colin.king at canonical.com
Fri Jun 23 12:56:07 UTC 2017
On 23/06/17 13:54, Seth Forshee wrote:
> On Fri, Jun 23, 2017 at 11:21:15AM +0100, Colin Ian King wrote:
>> CoverityScan picked up a regression with the patches for LP#1668726
>>
>> CID 1435473 (#1 of 1): Uninitialized scalar variable (UNINIT)59.
>> uninit_use_in_call: Using uninitialized value reply. Field
>> reply.sense_data_size is uninitialized when calling copy_to_user.
>>
>> 967 if (copy_to_user(user_reply, &reply,
>> 968 sizeof(struct aac_srb_reply))) {
>> 969 dprintk((KERN_DEBUG"aacraid: Copy to user
>> failed\n"));
>> 970 rcode = -EFAULT;
>> 971 goto cleanup;
>
> My interpretation of the code is that reply.sense_response_data_len and
> reply.sense_data are only meant to contain data about failures, i.e.
> when reply.srb_status != SRB_STATUS_SUCCESS. So this might not have been
> a problem, except that reply is a stack variable copied to userspace, so
> any uninitialized values in the struct represent a possible information
> leak.
>
> This is also a bug upstream. So I'll prepare a fix and submit it for
> Ubuntu and also upstream.
>
> Thank Colin.
>
> Seth
>
Thanks for looking into this Seth.
Colin
More information about the kernel-team
mailing list