From: Vasily Averin <[email protected]> 3.12-stable review patch. If anyone has any objections, please let me know.
=============== commit 01b9b0b28626db4a47d7f48744d70abca9914ef1 upstream. In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized, therefore its printk with "%s" modifier can leak content of kernelspace memory. If old content of this buffer does not contain '\0' access bejond end of allocated object can crash the host. Signed-off-by: Vasily Averin <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> --- fs/cifs/readdir.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c index e327a9207ee1..5454aff19d18 100644 --- a/fs/cifs/readdir.c +++ b/fs/cifs/readdir.c @@ -849,6 +849,7 @@ int cifs_readdir(struct file *file, struct dir_context *ctx) * if buggy server returns . and .. late do we want to * check for that here? */ + *tmp_buf = 0; rc = cifs_filldir(current_entry, file, ctx, tmp_buf, max_len); if (rc) { -- 2.7.1
