]>
Commit | Line | Data |
---|---|---|
b11df3da GKH |
1 | From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001 |
2 | From: Vlad Tsyrklevich <vlad@tsyrklevich.net> | |
3 | Date: Fri, 11 Jan 2019 14:34:38 +0100 | |
4 | Subject: omap2fb: Fix stack memory disclosure | |
5 | ||
6 | From: Vlad Tsyrklevich <vlad@tsyrklevich.net> | |
7 | ||
8 | commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream. | |
9 | ||
10 | Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE, | |
11 | OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO | |
12 | cases could all leak uninitialized stack memory--either due to | |
13 | uninitialized padding or 'reserved' fields. | |
14 | ||
15 | Fix them by clearing the shared union used to store copied out data. | |
16 | ||
17 | [1] https://github.com/vlad902/kernel-uninitialized-memory-checker | |
18 | ||
19 | Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> | |
20 | Reviewed-by: Kees Cook <keescook@chromium.org> | |
21 | Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver") | |
22 | Cc: security@kernel.org | |
23 | [b.zolnierkie: prefix patch subject with "omap2fb: "] | |
24 | Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> | |
25 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
26 | ||
27 | --- | |
28 | drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++ | |
29 | 1 file changed, 2 insertions(+) | |
30 | ||
31 | --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | |
32 | +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | |
33 | @@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, un | |
34 | ||
35 | int r = 0; | |
36 | ||
37 | + memset(&p, 0, sizeof(p)); | |
38 | + | |
39 | switch (cmd) { | |
40 | case OMAPFB_SYNC_GFX: | |
41 | DBG("ioctl SYNC_GFX\n"); |