From: Eugene Teo <eteo@redhat.com> Date: Wed, 18 Aug 2010 03:31:44 -0400 Subject: [usb] fix usbfs information leak Message-id: <20100818033144.GA10468@infradead.org> Patchwork-id: 27677 O-Subject: [RHEL5.6 PATCH] BZ#566629 CVE-2010-1083 usbfs infoleak Bugzilla: 566629 CVE: CVE-2010-1083 RH-Acked-by: Danny Feng <dfeng@redhat.com> RH-Acked-by: Don Zickus <dzickus@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> Backport of upstream commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6. Fixes CVE-2010-1083. Test status: Only build. We need to only copy the data received by the device to userspace, not the whole kernel buffer, which can contain "stale" data. Signed-off-by: Eugene Teo <eteo@redhat.com> -- drivers/usb/core/devio.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index db364b5..4e4365b 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1106,8 +1106,8 @@ static int processcompl(struct async *as, void __user * __user *arg) void __user *addr = as->userurb; unsigned int i; - if (as->userbuffer) - if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->transfer_buffer_length)) + if (as->userbuffer && urb->actual_length) + if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->actual_length)) return -EFAULT; if (put_user(urb->status, &userurb->status)) return -EFAULT; @@ -1220,8 +1220,8 @@ static int processcompl_compat(struct async *as, void __user * __user *arg) void __user *addr = as->userurb; unsigned int i; - if (as->userbuffer) - if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->transfer_buffer_length)) + if (as->userbuffer && urb->actual_length) + if (copy_to_user(as->userbuffer, urb->transfer_buffer, urb->actual_length)) return -EFAULT; if (put_user(urb->status, &userurb->status)) return -EFAULT;