cifs_dbg() outputs an uninitialized buffer in cifs_readdir()

commit 01b9b0b28626db4a47d7f48744d70abca9914ef1 upstream.

In some cases tmp_bug can be not filled in cifs_filldir and stay uninitialized,
therefore its printk with "%s" modifier can leak content of kernelspace memory.
If old content of this buffer does not contain '\0' access bejond end of
allocated object can crash the host.

Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Steve French <sfrench@localhost.localdomain>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
index 52a820a..dc93a6d 100644 (file)
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -823,6 +823,7 @@ int cifs_readdir(struct file *file, void *direntry, filldir_t filldir)
                        }
                        /* if buggy server returns . and .. late do
                        we want to check for that here? */
                        }
                        /* if buggy server returns . and .. late do
                        we want to check for that here? */

+                       *tmp_buf = 0;

                        rc = cifs_filldir(current_entry, file,
                                        filldir, direntry, tmp_buf, max_len);
                        if (rc == -EOVERFLOW) {
                        rc = cifs_filldir(current_entry, file,
                                        filldir, direntry, tmp_buf, max_len);
                        if (rc == -EOVERFLOW) {