From: Jay Fenlason <fenlason@redhat.com> Date: Thu, 9 Dec 2010 20:57:49 -0500 Subject: [net] cxgb3: fix read of uninitialized stack memory Message-id: <20101209205748.GA744@redhat.com> Patchwork-id: 30061 O-Subject: [PATCH RHEL5] bz633155 CVE-2010-3296 kernel: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory Bugzilla: 633155 CVE: CVE-2010-3296 RH-Acked-by: Andy Gospodarek <gospo@redhat.com> RH-Acked-by: Dean Nelson <dnelson@redhat.com> RH-Acked-by: David S. Miller <davem@redhat.com> The cxgb3 driver does not zero out a structure before sending it to userspace. This is a trivial backport of the one-line upstream fix. Only the line numbers differ. I've compile tested this locally, but I don't have the hardware in question, so I can't do further testing. Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/drivers/net/cxgb3/cxgb3_main.c b/drivers/net/cxgb3/cxgb3_main.c index 2d78754..d6af748 100644 --- a/drivers/net/cxgb3/cxgb3_main.c +++ b/drivers/net/cxgb3/cxgb3_main.c @@ -2192,6 +2192,8 @@ static int cxgb_extension_ioctl(struct net_device *dev, void __user *useraddr) case CHELSIO_GET_QSET_NUM:{ struct ch_reg edata; + memset(&edata, 0, sizeof(struct ch_reg)); + edata.cmd = CHELSIO_GET_QSET_NUM; edata.val = pi->nqsets; if (copy_to_user(useraddr, &edata, sizeof(edata)))