scsi: aacraid: fix leak of data from stack back to userspace
authorColin Ian King <colin.king@canonical.com>
Mon, 15 May 2017 14:56:05 +0000 (15:56 +0100)
committerMartin K. Petersen <martin.petersen@oracle.com>
Mon, 26 Jun 2017 16:32:15 +0000 (12:32 -0400)
The fields sense_data_size and sense_data are unitialized garbage from
the stack and are being copied back to userspace.  Fix this leak of
stack information by ensuring they are zero'd.

Detected by CoverityScan, CID#1435473 ("Uninitialized scalar variable")

Fixes: 423400e64d377 ("scsi: aacraid: Include HBA direct interface")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Dave Carroll <david.carroll@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/aacraid/commctrl.c

index 106b9332f7184e8512f19ac271e3b80fe158d3f7..6bb6ed48e31dc6d77fa2f6a8c5b6f3a382e4a824 100644 (file)
@@ -955,6 +955,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
                        reply.srb_status = SRB_STATUS_SUCCESS;
                        reply.scsi_status = 0;
                        reply.data_xfer_length = byte_count;
+                       reply.sense_data_size = 0;
+                       memset(reply.sense_data, 0, AAC_SENSE_BUFFERSIZE);
                } else {
                        reply.srb_status = err->service_response;
                        reply.scsi_status = err->status;