[thirdparty/kernel/stable-queue.git] / releases / 4.4.172 / omap2fb-fix-stack-memory-disclosure.patch

From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001
From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Date: Fri, 11 Jan 2019 14:34:38 +0100
Subject: omap2fb: Fix stack memory disclosure

From: Vlad Tsyrklevich <vlad@tsyrklevich.net>

commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.

Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.

Fix them by clearing the shared union used to store copied out data.

[1] https://github.com/vlad902/kernel-uninitialized-memory-checker

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Reviewed-by: Kees Cook <keescook@chromium.org>
Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, un
 
 	int r = 0;
 
+	memset(&p, 0, sizeof(p));
+
 	switch (cmd) {
 	case OMAPFB_SYNC_GFX:
 		DBG("ioctl SYNC_GFX\n");
Commit	Line	Data
b11df3da GKH	1	From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001
	2	From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
	3	Date: Fri, 11 Jan 2019 14:34:38 +0100
	4	Subject: omap2fb: Fix stack memory disclosure
	5
	6	From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
	7
	8	commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.
	9
	10	Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
	11	OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
	12	cases could all leak uninitialized stack memory--either due to
	13	uninitialized padding or 'reserved' fields.
	14
	15	Fix them by clearing the shared union used to store copied out data.
	16
	17	[1] https://github.com/vlad902/kernel-uninitialized-memory-checker
	18
	19	Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
	20	Reviewed-by: Kees Cook <keescook@chromium.org>
	21	Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
	22	Cc: security@kernel.org
	23	[b.zolnierkie: prefix patch subject with "omap2fb: "]
	24	Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
	25	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	26
	27	---
	28	drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c \| 2 ++
	29	1 file changed, 2 insertions(+)
	30
	31	--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
	32	+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
	33	@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, un
	34
	35	int r = 0;
	36
	37	+ memset(&p, 0, sizeof(p));
	38	+
	39	switch (cmd) {
	40	case OMAPFB_SYNC_GFX:
	41	DBG("ioctl SYNC_GFX\n");