Commit f7c134af authored by Tomas Bortoli's avatar Tomas Bortoli Committed by Khalid Elmously

media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()

BugLink: https://bugs.launchpad.net/bugs/1848589

[ Upstream commit a10feaf8 ]

The function at issue does not always initialize each byte allocated
for 'b' and can therefore leak uninitialized memory to a USB device in
the call to usb_bulk_msg()

Use kzalloc() instead of kmalloc()
Signed-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+0522702e9d67142379f1@syzkaller.appspotmail.com
Signed-off-by: default avatarSean Young <sean@mess.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent ee526918
...@@ -272,7 +272,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, ...@@ -272,7 +272,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command,
dprintk("%s\n", __func__); dprintk("%s\n", __func__);
b = kmalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL); b = kzalloc(COMMAND_PACKET_SIZE + 4, GFP_KERNEL);
if (!b) if (!b)
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment