[linux-usb-devel] [PATCH as538] usbfs: Don't leak uninitialized data

[Alan Stern]

Greg:

This patch fixes an information leak in the usbfs snoop facility:  
uninitialized data from __get_free_page can be returned to userspace and
written to the system log.  It also improves the snoop output by printing
the wLength value.

Alan Stern



Signed-off-by: Alan Stern <[EMAIL PROTECTED]>

Index: usb-2.6/drivers/usb/core/devio.c
===================================================================
--- usb-2.6.orig/drivers/usb/core/devio.c
+++ usb-2.6/drivers/usb/core/devio.c
@@ -569,8 +569,11 @@ static int proc_control(struct dev_state
                        free_page((unsigned long)tbuf);
                        return -EINVAL;
                }
-               snoop(&dev->dev, "control read: bRequest=%02x 
bRrequestType=%02x wValue=%04x wIndex=%04x\n", 
-                       ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, 
ctrl.wIndex);
+               snoop(&dev->dev, "control read: bRequest=%02x "
+                               "bRrequestType=%02x wValue=%04x "
+                               "wIndex=%04x wLength=%04x\n", 
+                       ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
+                               ctrl.wIndex, ctrl.wLength);
 
                usb_unlock_device(dev);
                i = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), 
ctrl.bRequest, ctrl.bRequestType,
@@ -579,11 +582,11 @@ static int proc_control(struct dev_state
                if ((i > 0) && ctrl.wLength) {
                        if (usbfs_snoop) {
                                dev_info(&dev->dev, "control read: data ");
-                               for (j = 0; j < ctrl.wLength; ++j)
+                               for (j = 0; j < i; ++j)
                                        printk ("%02x ", (unsigned 
char)(tbuf)[j]);
                                printk("\n");
                        }
-                       if (copy_to_user(ctrl.data, tbuf, ctrl.wLength)) {
+                       if (copy_to_user(ctrl.data, tbuf, i)) {
                                free_page((unsigned long)tbuf);
                                return -EFAULT;
                        }
@@ -595,8 +598,11 @@ static int proc_control(struct dev_state
                                return -EFAULT;
                        }
                }
-               snoop(&dev->dev, "control write: bRequest=%02x 
bRrequestType=%02x wValue=%04x wIndex=%04x\n", 
-                       ctrl.bRequest, ctrl.bRequestType, ctrl.wValue, 
ctrl.wIndex);
+               snoop(&dev->dev, "control write: bRequest=%02x "
+                               "bRrequestType=%02x wValue=%04x "
+                               "wIndex=%04x wLength=%04x\n", 
+                       ctrl.bRequest, ctrl.bRequestType, ctrl.wValue,
+                               ctrl.wIndex, ctrl.wLength);
                if (usbfs_snoop) {
                        dev_info(&dev->dev, "control write: data: ");
                        for (j = 0; j < ctrl.wLength; ++j)



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel