mtd: mtdchar: fix information leak to userland

Structure mtd_info_user is copied to userland with padding byted
between "type" and "flags" fields uninitialized.  It leads to leaking
of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 4759d827e8c78264b7ec54e1851eb9bdb6ed9c8c..cad8fcc7b239e2e5e38d3f9e9de728f1db41a78e 100644 (file)
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -601,6 +601,7 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
        }
 
        case MEMGETINFO:
+               memset(&info, 0, sizeof(info));
                info.type       = mtd->type;
                info.flags      = mtd->flags;
                info.size       = mtd->size;
@@ -609,7 +610,6 @@ static int mtd_ioctl(struct file *file, u_int cmd, u_long arg)
                info.oobsize    = mtd->oobsize;
                /* The below fields are obsolete */
                info.ecctype    = -1;
-               info.eccsize    = 0;
                if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
                        return -EFAULT;
                break;