From: Greg Kroah-Hartman Date: Fri, 12 Mar 2021 13:36:11 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.262~92 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ee7db3efd40606c5da56567de83266cc1bcbf258;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: drm-compat-clear-bounce-structures.patch --- diff --git a/queue-4.14/drm-compat-clear-bounce-structures.patch b/queue-4.14/drm-compat-clear-bounce-structures.patch new file mode 100644 index 00000000000..4c36d7f3b48 --- /dev/null +++ b/queue-4.14/drm-compat-clear-bounce-structures.patch @@ -0,0 +1,79 @@ +From de066e116306baf3a6a62691ac63cfc0b1dabddb Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Mon, 22 Feb 2021 11:06:43 +0100 +Subject: drm/compat: Clear bounce structures + +From: Daniel Vetter + +commit de066e116306baf3a6a62691ac63cfc0b1dabddb upstream. + +Some of them have gaps, or fields we don't clear. Native ioctl code +does full copies plus zero-extends on size mismatch, so nothing can +leak. But compat is more hand-rolled so need to be careful. + +None of these matter for performance, so just memset. + +Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those +are security holes anyway. + +Acked-by: Maxime Ripard +Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl +Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch +(cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7) +Signed-off-by: Maarten Lankhorst +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_ioc32.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -96,6 +96,8 @@ static int compat_drm_version(struct fil + if (copy_from_user(&v32, (void __user *)arg, sizeof(v32))) + return -EFAULT; + ++ memset(&v, 0, sizeof(v)); ++ + v = (struct drm_version) { + .name_len = v32.name_len, + .name = compat_ptr(v32.name), +@@ -134,6 +136,9 @@ static int compat_drm_getunique(struct f + + if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32))) + return -EFAULT; ++ ++ memset(&uq, 0, sizeof(uq)); ++ + uq = (struct drm_unique){ + .unique_len = uq32.unique_len, + .unique = compat_ptr(uq32.unique), +@@ -260,6 +265,8 @@ static int compat_drm_getclient(struct f + if (copy_from_user(&c32, argp, sizeof(c32))) + return -EFAULT; + ++ memset(&client, 0, sizeof(client)); ++ + client.idx = c32.idx; + + err = drm_ioctl_kernel(file, drm_getclient, &client, DRM_UNLOCKED); +@@ -842,6 +849,8 @@ static int compat_drm_wait_vblank(struct + if (copy_from_user(&req32, argp, sizeof(req32))) + return -EFAULT; + ++ memset(&req, 0, sizeof(req)); ++ + req.request.type = req32.request.type; + req.request.sequence = req32.request.sequence; + req.request.signal = req32.request.signal; +@@ -879,6 +888,8 @@ static int compat_drm_mode_addfb2(struct + struct drm_mode_fb_cmd2 req64; + int err; + ++ memset(&req64, 0, sizeof(req64)); ++ + if (copy_from_user(&req64, argp, + offsetof(drm_mode_fb_cmd232_t, modifier))) + return -EFAULT; diff --git a/queue-4.14/series b/queue-4.14/series index f4263ec7b5c..da0d1461460 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -24,3 +24,4 @@ net-davicom-fix-regulator-not-turned-off-on-driver-removal.patch net-stmmac-stop-each-tx-channel-independently.patch perf-traceevent-ensure-read-cmdlines-are-null-terminated.patch s390-cio-return-efault-if-copy_to_user-fails.patch +drm-compat-clear-bounce-structures.patch