]>
Commit | Line | Data |
---|---|---|
bd7434bd GKH |
1 | From 32043fa065b51e0b1433e48d118821c71b5cd65d Mon Sep 17 00:00:00 2001 |
2 | From: Colin Ian King <colin.king@canonical.com> | |
3 | Date: Tue, 18 Dec 2018 17:29:56 +0000 | |
4 | Subject: x86/mtrr: Don't copy uninitialized gentry fields back to userspace | |
5 | ||
6 | From: Colin Ian King <colin.king@canonical.com> | |
7 | ||
8 | commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream. | |
9 | ||
10 | Currently the copy_to_user of data in the gentry struct is copying | |
11 | uninitiaized data in field _pad from the stack to userspace. | |
12 | ||
13 | Fix this by explicitly memset'ing gentry to zero, this also will zero any | |
14 | compiler added padding fields that may be in struct (currently there are | |
15 | none). | |
16 | ||
17 | Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable") | |
18 | ||
19 | Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls") | |
20 | Signed-off-by: Colin Ian King <colin.king@canonical.com> | |
21 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | |
22 | Reviewed-by: Tyler Hicks <tyhicks@canonical.com> | |
23 | Cc: security@kernel.org | |
24 | Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com | |
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
26 | ||
27 | --- | |
28 | arch/x86/kernel/cpu/mtrr/if.c | 2 ++ | |
29 | 1 file changed, 2 insertions(+) | |
30 | ||
31 | --- a/arch/x86/kernel/cpu/mtrr/if.c | |
32 | +++ b/arch/x86/kernel/cpu/mtrr/if.c | |
33 | @@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned i | |
34 | struct mtrr_gentry gentry; | |
35 | void __user *arg = (void __user *) __arg; | |
36 | ||
37 | + memset(&gentry, 0, sizeof(gentry)); | |
38 | + | |
39 | switch (cmd) { | |
40 | case MTRRIOC_ADD_ENTRY: | |
41 | case MTRRIOC_SET_ENTRY: |