[thirdparty/kernel/stable-queue.git] / releases / 4.4.170 / x86-mtrr-don-t-copy-uninitialized-gentry-fields-back-to-userspace.patch

From 32043fa065b51e0b1433e48d118821c71b5cd65d Mon Sep 17 00:00:00 2001
From: Colin Ian King <colin.king@canonical.com>
Date: Tue, 18 Dec 2018 17:29:56 +0000
Subject: x86/mtrr: Don't copy uninitialized gentry fields back to userspace

From: Colin Ian King <colin.king@canonical.com>

commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream.

Currently the copy_to_user of data in the gentry struct is copying
uninitiaized data in field _pad from the stack to userspace.

Fix this by explicitly memset'ing gentry to zero, this also will zero any
compiler added padding fields that may be in struct (currently there are
none).

Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")

Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: security@kernel.org
Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mtrr/if.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned i
 	struct mtrr_gentry gentry;
 	void __user *arg = (void __user *) __arg;
 
+	memset(&gentry, 0, sizeof(gentry));
+
 	switch (cmd) {
 	case MTRRIOC_ADD_ENTRY:
 	case MTRRIOC_SET_ENTRY:
Commit	Line	Data
bd7434bd GKH	1	From 32043fa065b51e0b1433e48d118821c71b5cd65d Mon Sep 17 00:00:00 2001
	2	From: Colin Ian King <colin.king@canonical.com>
	3	Date: Tue, 18 Dec 2018 17:29:56 +0000
	4	Subject: x86/mtrr: Don't copy uninitialized gentry fields back to userspace
	5
	6	From: Colin Ian King <colin.king@canonical.com>
	7
	8	commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream.
	9
	10	Currently the copy_to_user of data in the gentry struct is copying
	11	uninitiaized data in field _pad from the stack to userspace.
	12
	13	Fix this by explicitly memset'ing gentry to zero, this also will zero any
	14	compiler added padding fields that may be in struct (currently there are
	15	none).
	16
	17	Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")
	18
	19	Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit ioctls")
	20	Signed-off-by: Colin Ian King <colin.king@canonical.com>
	21	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	22	Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
	23	Cc: security@kernel.org
	24	Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.king@canonical.com
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26
	27	---
	28	arch/x86/kernel/cpu/mtrr/if.c \| 2 ++
	29	1 file changed, 2 insertions(+)
	30
	31	--- a/arch/x86/kernel/cpu/mtrr/if.c
	32	+++ b/arch/x86/kernel/cpu/mtrr/if.c
	33	@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned i
	34	struct mtrr_gentry gentry;
	35	void __user arg = (void __user ) __arg;
	36
	37	+ memset(&gentry, 0, sizeof(gentry));
	38	+
	39	switch (cmd) {
	40	case MTRRIOC_ADD_ENTRY:
	41	case MTRRIOC_SET_ENTRY: