From: Greg Kroah-Hartman Date: Thu, 9 Dec 2021 18:02:15 +0000 (+0100) Subject: USB: gadget: zero allocate endpoint 0 buffers X-Git-Tag: MMI-RSBS31.Q1-48-36-26~22 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=42262a0a0a1af9ab6e5698c4f4830decfe96e3c9;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git USB: gadget: zero allocate endpoint 0 buffers commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream. Under some conditions, USB gadget devices can show allocated buffer contents to a host. Fix this up by zero-allocating them so that any extra data will all just be zeros. Mot-CRs-fixed: (CR) CVE-Fixed: CVE-2021-39685 Bug: 210292376 Change-Id: I5f4fdbf7b0c241f60d7b27539110c167ba8e7e00 Reported-by: Szymon Heidrich Tested-by: Szymon Heidrich Signed-off-by: Greg Kroah-Hartman Signed-off-by: Gajjala Chakradhar Reviewed-on: https://gerrit.mot.com/2197706 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver Tested-by: Jira Key Reviewed-by: Xiangpo Zhao Submit-Approved: Jira Key --- diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 4bf96d415232..ab1340053f3a 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -2126,7 +2126,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite, if (!cdev->req) return -ENOMEM; - cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); + cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); if (!cdev->req->buf) goto fail; diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c index 99ca3dabc4f3..64a77c0fbfd4 100644 --- a/drivers/usb/gadget/legacy/dbgp.c +++ b/drivers/usb/gadget/legacy/dbgp.c @@ -136,7 +136,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep) goto fail_1; } - req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); + req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); if (!req->buf) { err = -ENOMEM; stp = 2;