[PATCH] fbdev: potential information leak in do_fb_ioctl()

From: Dan Carpenter
Date: Tue Oct 29 2019 - 14:25:14 EST

Next message: Andrew Lunn: "Re: [PATCH 0/3] net: phy: initialize PHYs via device tree properties"
Previous message: Dan Carpenter: "[PATCH] media: smiapp: unlock on error in smiapp_start_streaming()"
Next in thread: Joe Perches: "Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "fix" struct has a 2 byte hole after ->ywrapstep and the
"fix = info->fix;" assignment doesn't necessarily clear it. It depends
on the compiler.

Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
I have 13 more similar places to patch... I'm not totally sure I
understand all the issues involved.

drivers/video/fbdev/core/fbmem.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 6f6fc785b545..b4ce6a28aed9 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
ret = -EFAULT;
break;
case FBIOGET_FSCREENINFO:
+ memset(&fix, 0, sizeof(fix));
lock_fb_info(info);
fix = info->fix;
if (info->flags & FBINFO_HIDE_SMEM_START)
--
2.20.1

Next message: Andrew Lunn: "Re: [PATCH 0/3] net: phy: initialize PHYs via device tree properties"
Previous message: Dan Carpenter: "[PATCH] media: smiapp: unlock on error in smiapp_start_streaming()"
Next in thread: Joe Perches: "Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]