If palmas_smps_read() fails, we should not use the read data in "reg"
which may contain random value. The fix inserts a check for the return
value of palmas_smps_read(): If it fails, we return the error code
upstream and stop using "reg".
Signed-off-by: Kangjie Lu
---
driv
If palmas_smps_read() fails, we should not use the read data in "reg"
which may contain random value. The fix inserts a check for the return
value of palmas_smps_read(): If it fails, we return the error code
upstream and stop using "reg".
Signed-off-by: Kangjie Lu
---
driv
The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/rds/recv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/r
The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.
Signed-off-by: Kangjie Lu
---
net/rds/recv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/rds/recv.c b/net/rds/
link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/tipc/netlink_compat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ne
link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: Kangjie Lu
---
net/tipc/netlink_compat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/tipc/netlink_compat.c b/net
link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/tipc/netlink_compat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/netlink_compat.c
link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: Kangjie Lu
---
net/tipc/netlink_compat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/netlink_compat.c b/net/tipc
The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/rds/recv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/r
The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.
Signed-off-by: Kangjie Lu
---
net/rds/recv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/rds/recv.c b/net/rds/
The field autoneg of pauseparam is not initialized in some
implementations of get_pauseparam(), but the whole object is
copied to userland.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/core/ethtool.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ne
The field autoneg of pauseparam is not initialized in some
implementations of get_pauseparam(), but the whole object is
copied to userland.
Signed-off-by: Kangjie Lu
---
net/core/ethtool.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/ethtool.c b/net/core
Stack object "dte_facilities" is allocated in x25_rx_call_request(),
which is supposed to be initialized in x25_negotiate_facilities.
However, 5 fields (8 bytes in total) are not initialized. This
object is then copied to userland via copy_to_user, thus infoleak
occurs.
Signed-off-by:
Stack object "dte_facilities" is allocated in x25_rx_call_request(),
which is supposed to be initialized in x25_negotiate_facilities.
However, 5 fields (8 bytes in total) are not initialized. This
object is then copied to userland via copy_to_user, thus infoleak
occurs.
Signed-off-by:
"mac" is an array allocated in stack without being initialized,
and will be sent out via "nla_put". The dump_station() is supposed
to initialize the mac address; otherwise, sensitive data in kernel
stack will be leaked. To fix this, copy the mac address to it.
Signed-o
"mac" is an array allocated in stack without being initialized,
and will be sent out via "nla_put". The dump_station() is supposed
to initialize the mac address; otherwise, sensitive data in kernel
stack will be leaked. To fix this, copy the mac address to it.
Signe
aningful mac address.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
index 448a5c8..44
aningful mac address.
Signed-off-by: Kangjie Lu
---
drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
index 448a5c8..44c1356 100644
--- a/driv
or completely remove this dump_station().
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
ind
or completely remove this dump_station().
Signed-off-by: Kangjie Lu
---
drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
index 12d1844..44a1582
The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/core/rtnetlink.c | 18 ++
1 file changed, 10 inse
The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.
Signed-off-by: Kangjie Lu
---
net/core/rtnetlink.c | 18 ++
1 file changed, 10 insertions(+), 8 deletions
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/core
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound
The stack object “info” has a total size of 128 bytes; however,
only 28 bytes are initialized. The remaining uninitialized bytes
are sent to userland via send_signal.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/
The stack object “info” has a total size of 128 bytes; however,
only 28 bytes are initialized. The remaining uninitialized bytes
are sent to userland via send_signal.
Signed-off-by: Kangjie Lu
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/signal.c b/kernel
The stack object “info” has a total size of 128 bytes; however,
only 32 bytes are initialized. The remaining uninitialized bytes
are sent to userland via send_signal.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/
The stack object “info” has a total size of 128 bytes; however,
only 32 bytes are initialized. The remaining uninitialized bytes
are sent to userland via send_signal.
Signed-off-by: Kangjie Lu
---
kernel/signal.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/signal.c b/kernel
The 6-bytes array “mac_addr” is not initialized in the dump_station
implementations of “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c”
and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6
bytes may be leaked.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/wireless/nl8
The 6-bytes array “mac_addr” is not initialized in the dump_station
implementations of “drivers/staging/wilc1000/wilc_wfi_cfgoperations.c”
and “drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c”, so all 6
bytes may be leaked.
Signed-off-by: Kangjie Lu
---
net/wireless/nl80211.c | 1 +
1 file
The stack object “si” has a total size of 128; however, only 20
bytes are initialized. The remaining uninitialized bytes are sent
to userland via send_signal
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
arch/arm64/mm/fault.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/ar
The stack object “si” has a total size of 128; however, only 20
bytes are initialized. The remaining uninitialized bytes are sent
to userland via send_signal
Signed-off-by: Kangjie Lu
---
arch/arm64/mm/fault.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/mm/fault.c b/arch
The stack object “info” has a total size of 12 bytes. Its last byte
is padding which is not initialized and leaked via “put_cmsg”.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
net/llc/af_llc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
The stack object “info” has a total size of 12 bytes. Its last byte
is padding which is not initialized and leaked via “put_cmsg”.
Signed-off-by: Kangjie Lu
---
net/llc/af_llc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index b3c52e3..8ae3ed9 100644
The stack object “si” has a total size of 128 bytes; however, only
16 bytes are initialized. The remaining uninitialized bytes are
sent to userland via send_signal.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
fs/fcntl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/fcntl.
The stack object “si” has a total size of 128 bytes; however, only
16 bytes are initialized. The remaining uninitialized bytes are
sent to userland via send_signal.
Signed-off-by: Kangjie Lu
---
fs/fcntl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 350a2c8
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.
Signed-off-by: Kangjie Lu <k...@gatech.edu>
---
drivers/usb/core/devio.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.
Signed-off-by: Kangjie Lu
---
drivers/usb/core/devio.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers
201 - 242 of 242 matches
Mail list logo