From 9561f7faa45cb855b1ba83a4acf3f2ad3665e71f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 23 Sep 2011 09:21:13 +0300 Subject: HID: hiddev: potential info leak in hiddev_ioctl() Smatch has a new check for Rosenberg type information leaks where structs are copied to the user with uninitialized stack data in them. In this case, the hiddev_devinfo struct has a two byte hole. struct hiddev_devinfo { __u32 bustype; /* 0 4 */ __u32 busnum; /* 4 4 */ __u32 devnum; /* 8 4 */ __u32 ifnum; /* 12 4 */ __s16 vendor; /* 16 2 */ __s16 product; /* 18 2 */ __s16 version; /* 20 2 */ /* XXX 2 bytes hole, try to pack */ __u32 num_applications; /* 24 4 */ Signed-off-by: Dan Carpenter Signed-off-by: Jiri Kosina --- drivers/hid/usbhid/hiddev.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/hid') diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index 7c1188b53c3e..4ef02b269a71 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -641,6 +641,8 @@ static long hiddev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) struct usb_device *dev = hid_to_usb_dev(hid); struct usbhid_device *usbhid = hid->driver_data; + memset(&dinfo, 0, sizeof(dinfo)); + dinfo.bustype = BUS_USB; dinfo.busnum = dev->bus->busnum; dinfo.devnum = dev->devnum; -- cgit v1.2.3