zesty SRU, LP#1668726

Colin Ian King colin.king at canonical.com
Fri Jun 23 12:56:07 UTC 2017


On 23/06/17 13:54, Seth Forshee wrote:
> On Fri, Jun 23, 2017 at 11:21:15AM +0100, Colin Ian King wrote:
>> CoverityScan picked up a regression with the patches for LP#1668726
>>
>>     CID 1435473 (#1 of 1): Uninitialized scalar variable (UNINIT)59.
>> uninit_use_in_call: Using uninitialized value reply. Field
>> reply.sense_data_size is uninitialized when calling copy_to_user.
>>
>>  967                if (copy_to_user(user_reply, &reply,
>>  968                        sizeof(struct aac_srb_reply))) {
>>  969                        dprintk((KERN_DEBUG"aacraid: Copy to user
>> failed\n"));
>>  970                        rcode = -EFAULT;
>>  971                        goto cleanup;
> 
> My interpretation of the code is that reply.sense_response_data_len and
> reply.sense_data are only meant to contain data about failures, i.e.
> when reply.srb_status != SRB_STATUS_SUCCESS. So this might not have been
> a problem, except that reply is a stack variable copied to userspace, so
> any uninitialized values in the struct represent a possible information
> leak.
> 
> This is also a bug upstream. So I'll prepare a fix and submit it for
> Ubuntu and also upstream.
> 
> Thank Colin.
> 
> Seth
> 
Thanks for looking into this Seth.

Colin




More information about the kernel-team mailing list