Re: [PATCH v2 1/2] tty: fix compat TIOCGSERIAL leaking uninitialized memory

[Eric Biggers]

On Wed, Mar 18, 2020 at 01:00:00PM +0100, Greg Kroah-Hartman wrote:
> On Mon, Mar 02, 2020 at 01:24:25PM -0800, Eric Biggers wrote:
> > On Tue, Feb 25, 2020 at 08:30:35AM +0100, Jiri Slaby wrote:
> > > On 24. 02. 20, 19:20, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> > > > 
> > > > Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into
> > > > tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start
> > > > copying a whole 'serial_struct32' to userspace rather than individual
> > > > fields, but failed to initialize all padding and fields -- namely the
> > > > hole after the 'iomem_reg_shift' field, and the 'reserved' field.
> > > > 
> > > > Fix this by initializing the struct to zero.
> > > > 
> > > > [v2: use sizeof, and convert the adjacent line for consistency.]
> > > > 
> > > > Reported-by: syzbot+8da9175e28eadcb203ce@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > > Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()")
> > > > Cc: <stable@xxxxxxxxxxxxxxx> # v4.20+
> > > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> > > 
> > > Acked-by: Jiri Slaby <jslaby@xxxxxxx>
> > > 
> > 
> > Thanks.  Greg, are you planning to take these patches?
> 
> Yes, sorry, they were not cc: linux-serial and fell through my initial
> filters, to go into my generic "to-review" bucket.  Will take them
> now...
> 

If people are supposed to send tty patches to linux-serial, then you need to add
it to MAINTAINERS:

$ ./scripts/get_maintainer.pl drivers/tty/
Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> (supporter:TTY LAYER)
Jiri Slaby <jslaby@xxxxxxxx> (supporter:TTY LAYER)
linux-kernel@xxxxxxxxxxxxxxx (open list)