cifs_dbg() outputs an uninitialized buffer in cifs_readdir()

commit 01b9b0b2 upstream. In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized, therefore its printk with "%s" modifier can leak content of kernelspace memory. If old content of this buffer does not contain '\0' access bejond end of allocated object can crash the host. Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Steve French <sfrench@localhost.localdomain> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

cifs_dbg() outputs an uninitialized buffer in cifs_readdir()
commit 01b9b0b2 upstream. In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized, therefore its printk with "%s" modifier can leak content of kernelspace memory. If old content of this buffer does not contain '\0' access bejond end of allocated object can crash the host. Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Steve French <sfrench@localhost.localdomain> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
32ea1f7a · Vasily Averin · Ben Hutchings · ece016f8 · 32ea1f7a
Commit 32ea1f7a authored Jan 14, 2016 by Vasily Averin Committed by Ben Hutchings Feb 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

fs/cifs/readdir.c fs/cifs/readdir.c +1 -0

No files found.
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -823,6 +823,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
 			}
 			/* if buggy server returns . and .. late do
 			we want to check for that here? */
+			*tmp_buf = 0;
 			rc = cifs_filldir(current_entry, file,
 					filldir, direntry, tmp_buf, max_len);
 			if (rc == -EOVERFLOW) {