| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191029182320.GA17569@mwanda>
Date: Tue, 29 Oct 2019 21:23:20 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Andrea Righi <righi.andrea@...il.com>
Cc: Daniel Vetter <daniel.vetter@...ll.ch>,
Sam Ravnborg <sam@...nborg.org>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Peter Rosin <peda@...ntia.se>,
Gerd Hoffmann <kraxel@...hat.com>,
dri-devel@...ts.freedesktop.org, linux-fbdev@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
security@...nel.org, Kees Cook <keescook@...omium.org>,
Julia Lawall <Julia.Lawall@...6.fr>
Subject: [PATCH] fbdev: potential information leak in do_fb_ioctl()
The "fix" struct has a 2 byte hole after ->ywrapstep and the
"fix = info->fix;" assignment doesn't necessarily clear it. It depends
on the compiler.
Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
I have 13 more similar places to patch... I'm not totally sure I
understand all the issues involved.
drivers/video/fbdev/core/fbmem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 6f6fc785b545..b4ce6a28aed9 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
ret = -EFAULT;
break;
case FBIOGET_FSCREENINFO:
+ memset(&fix, 0, sizeof(fix));
lock_fb_info(info);
fix = info->fix;
if (info->flags & FBINFO_HIDE_SMEM_START)
--
2.20.1
Powered by blists - more mailing lists