tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fix from James Bottomley:
"One fix for an information leak caused by copying a buffer to
userspace without checking for error first in the sr driver"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: sr: Do not leak information in ioctl

Linus Torvalds 6fc2586d b51bd23c

+12 -3
+12 -3
drivers/scsi/sr_ioctl.c
··· 41 41 int result; 42 42 unsigned char *buffer; 43 43 44 - buffer = kmalloc(32, GFP_KERNEL); 44 + buffer = kzalloc(32, GFP_KERNEL); 45 45 if (!buffer) 46 46 return -ENOMEM; 47 47 ··· 55 55 cgc.data_direction = DMA_FROM_DEVICE; 56 56 57 57 result = sr_do_ioctl(cd, &cgc); 58 + if (result) 59 + goto err; 58 60 59 61 tochdr->cdth_trk0 = buffer[2]; 60 62 tochdr->cdth_trk1 = buffer[3]; 61 63 64 + err: 62 65 kfree(buffer); 63 66 return result; 64 67 } ··· 74 71 int result; 75 72 unsigned char *buffer; 76 73 77 - buffer = kmalloc(32, GFP_KERNEL); 74 + buffer = kzalloc(32, GFP_KERNEL); 78 75 if (!buffer) 79 76 return -ENOMEM; 80 77 ··· 89 86 cgc.data_direction = DMA_FROM_DEVICE; 90 87 91 88 result = sr_do_ioctl(cd, &cgc); 89 + if (result) 90 + goto err; 92 91 93 92 tocentry->cdte_ctrl = buffer[5] & 0xf; 94 93 tocentry->cdte_adr = buffer[5] >> 4; ··· 103 98 tocentry->cdte_addr.lba = (((((buffer[8] << 8) + buffer[9]) << 8) 104 99 + buffer[10]) << 8) + buffer[11]; 105 100 101 + err: 106 102 kfree(buffer); 107 103 return result; 108 104 } ··· 390 384 { 391 385 Scsi_CD *cd = cdi->handle; 392 386 struct packet_command cgc; 393 - char *buffer = kmalloc(32, GFP_KERNEL); 387 + char *buffer = kzalloc(32, GFP_KERNEL); 394 388 int result; 395 389 396 390 if (!buffer) ··· 406 400 cgc.data_direction = DMA_FROM_DEVICE; 407 401 cgc.timeout = IOCTL_TIMEOUT; 408 402 result = sr_do_ioctl(cd, &cgc); 403 + if (result) 404 + goto err; 409 405 410 406 memcpy(mcn->medium_catalog_number, buffer + 9, 13); 411 407 mcn->medium_catalog_number[13] = 0; 412 408 409 + err: 413 410 kfree(buffer); 414 411 return result; 415 412 }