From: Greg Kroah-Hartman Date: Thu, 9 Dec 2021 18:02:15 +0000 (+0100) Subject: USB: gadget: zero allocate endpoint 0 buffers X-Git-Tag: archive/raspbian/5.15.15-2+rpi1~1^2^2^2~18 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks:///%22http:/www.example.com/cgi/%22https:/%22bookmarks:/?a=commitdiff_plain;h=a146c6e62bdbb654d6dc021915ecb2cc54c38651;p=linux.git USB: gadget: zero allocate endpoint 0 buffers Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=6eea4ace62fa6414432692ee44f0c0a3d541d97a Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-39685 commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream. Under some conditions, USB gadget devices can show allocated buffer contents to a host. Fix this up by zero-allocating them so that any extra data will all just be zeros. Reported-by: Szymon Heidrich Tested-by: Szymon Heidrich Signed-off-by: Greg Kroah-Hartman Gbp-Pq: Topic bugfix/all Gbp-Pq: Name USB-gadget-zero-allocate-endpoint-0-buffers.patch --- diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 1ef7922b57b..284eea9f6e4 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite, if (!cdev->req) return -ENOMEM; - cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); + cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); if (!cdev->req->buf) goto fail; diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c index e567afcb279..355bc7dab9d 100644 --- a/drivers/usb/gadget/legacy/dbgp.c +++ b/drivers/usb/gadget/legacy/dbgp.c @@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep) goto fail_1; } - req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); + req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); if (!req->buf) { err = -ENOMEM; stp = 2;