git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Jonathan Salwan <jonathan.salwan@gmail.com>
	Wed, 19 Jun 2013 00:05:44 +0000 (10:05 +1000)
committer	Stephen Rothwell <sfr@canb.auug.org.au>
	Wed, 19 Jun 2013 07:12:51 +0000 (17:12 +1000)
commit	978e3e1bc45a9a191b4d2ada407dc84d47ade820
tree	8bd719a00d291f7acc344d8de44651d3b8d67cfa	tree \| snapshot
parent	2940d651e44081d65901cb8aa18990dd7b2067d4	commit \| diff

drivers/cdrom/cdrom.c: use kzalloc() for failing hardware

In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
area with kmalloc in line 2885.

2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
2886         if (cgc->buffer == NULL)
2887                 return -ENOMEM;

In line 2908 we can find the copy_to_user function:

2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))

The cgc->buffer is never cleaned and initialized before this function.  If
ret = 0 with the previous basic block, it's possible to display some
memory bytes in kernel space from userspace.

When we read a block from the disk it normally fills the ->buffer but if
the drive is malfunctioning there is a chance that it would only be
partially filled.  The result is an leak information to userspace.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>