--- /dev/null
+From b9f0aee83335db1f3915f4e42a5e21b351740afd Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 17 Aug 2010 14:46:00 +1000
+Subject: drm: stop information leak of old kernel stack.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream.
+
+non-critical issue, CVE-2010-2803
+
+Userspace controls the amount of memory to be allocate, so it can
+get the ioctl to allocate more memory than the kernel uses, and get
+access to kernel stack. This can only be done for processes authenticated
+to the X server for DRI access, and if the user has DRI access.
+
+Fix is to just memset the data to 0 if the user doesn't copy into
+it in the first place.
+
+Reported-by: Kees Cook <kees@ubuntu.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/gpu/drm/drm_drv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_drv.c
++++ b/drivers/gpu/drm/drm_drv.c
+@@ -504,7 +504,9 @@ int drm_ioctl(struct inode *inode, struc
+ retcode = -EFAULT;
+ goto err_i1;
+ }
+- }
++ } else
++ memset(kdata, 0, _IOC_SIZE(cmd));
++
+ retcode = func(dev, kdata, file_priv);
+
+ if ((retcode == 0) && (cmd & IOC_OUT)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
