From: Greg Kroah-Hartman Date: Fri, 12 Mar 2021 13:36:28 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.262~91 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0442b35bae31c66615b8c3977af6e0ca69116888;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-compat-clear-bounce-structures.patch --- diff --git a/queue-4.19/drm-compat-clear-bounce-structures.patch b/queue-4.19/drm-compat-clear-bounce-structures.patch new file mode 100644 index 00000000000..4c36d7f3b48 --- /dev/null +++ b/queue-4.19/drm-compat-clear-bounce-structures.patch @@ -0,0 +1,79 @@ +From de066e116306baf3a6a62691ac63cfc0b1dabddb Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Mon, 22 Feb 2021 11:06:43 +0100 +Subject: drm/compat: Clear bounce structures + +From: Daniel Vetter + +commit de066e116306baf3a6a62691ac63cfc0b1dabddb upstream. + +Some of them have gaps, or fields we don't clear. Native ioctl code +does full copies plus zero-extends on size mismatch, so nothing can +leak. But compat is more hand-rolled so need to be careful. + +None of these matter for performance, so just memset. + +Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those +are security holes anyway. + +Acked-by: Maxime Ripard +Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl +Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch +(cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7) +Signed-off-by: Maarten Lankhorst +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_ioc32.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -96,6 +96,8 @@ static int compat_drm_version(struct fil + if (copy_from_user(&v32, (void __user *)arg, sizeof(v32))) + return -EFAULT; + ++ memset(&v, 0, sizeof(v)); ++ + v = (struct drm_version) { + .name_len = v32.name_len, + .name = compat_ptr(v32.name), +@@ -134,6 +136,9 @@ static int compat_drm_getunique(struct f + + if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32))) + return -EFAULT; ++ ++ memset(&uq, 0, sizeof(uq)); ++ + uq = (struct drm_unique){ + .unique_len = uq32.unique_len, + .unique = compat_ptr(uq32.unique), +@@ -260,6 +265,8 @@ static int compat_drm_getclient(struct f + if (copy_from_user(&c32, argp, sizeof(c32))) + return -EFAULT; + ++ memset(&client, 0, sizeof(client)); ++ + client.idx = c32.idx; + + err = drm_ioctl_kernel(file, drm_getclient, &client, DRM_UNLOCKED); +@@ -842,6 +849,8 @@ static int compat_drm_wait_vblank(struct + if (copy_from_user(&req32, argp, sizeof(req32))) + return -EFAULT; + ++ memset(&req, 0, sizeof(req)); ++ + req.request.type = req32.request.type; + req.request.sequence = req32.request.sequence; + req.request.signal = req32.request.signal; +@@ -879,6 +888,8 @@ static int compat_drm_mode_addfb2(struct + struct drm_mode_fb_cmd2 req64; + int err; + ++ memset(&req64, 0, sizeof(req64)); ++ + if (copy_from_user(&req64, argp, + offsetof(drm_mode_fb_cmd232_t, modifier))) + return -EFAULT; diff --git a/queue-4.19/series b/queue-4.19/series index 592f955857a..2aafb664484 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -31,3 +31,4 @@ net-stmmac-fix-watchdog-timeout-during-suspend-resume-stress-test.patch selftests-forwarding-fix-race-condition-in-mirror-installation.patch perf-traceevent-ensure-read-cmdlines-are-null-terminated.patch s390-cio-return-efault-if-copy_to_user-fails.patch +drm-compat-clear-bounce-structures.patch