releases/4.4.172/omap2fb-fix-stack-memory-disclosure.patch

   1 From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001
   2 From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
   3 Date: Fri, 11 Jan 2019 14:34:38 +0100
   4 Subject: omap2fb: Fix stack memory disclosure
   5
   6 From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
   7
   8 commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.
   9
  10 Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
  11 OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
  12 cases could all leak uninitialized stack memory--either due to
  13 uninitialized padding or 'reserved' fields.
  14
  15 Fix them by clearing the shared union used to store copied out data.
  16
  17 [1] https://github.com/vlad902/kernel-uninitialized-memory-checker
  18
  19 Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
  20 Reviewed-by: Kees Cook <keescook@chromium.org>
  21 Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
  22 Cc: security@kernel.org
  23 [b.zolnierkie: prefix patch subject with "omap2fb: "]
  24 Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
  25 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26
  27 ---
  28  drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c |    2 ++
  29  1 file changed, 2 insertions(+)
  30
  31 --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
  32 +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
  33 @@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, un
  34
  35         int r = 0;
  36
  37 +       memset(&p, 0, sizeof(p));
  38 +
  39         switch (cmd) {
  40         case OMAPFB_SYNC_GFX:
  41                 DBG("ioctl SYNC_GFX\n");