Home| summaryrefslogtreecommitdiff |
diff options
| author | Thomas Zimmermann <tzimmermann@suse.de> | 2019-01-21 11:37:12 +0100 |
|---|---|---|
| committer | Thomas Zimmermann <tzimmermann@suse.de> | 2019-01-21 11:37:12 +0100 |
| commit | 680011251883a2dbef37000af0066e00cc5e8dfe (patch) | |
| tree | 4e43b0eebbcbe8d8ea8c1fd0d5b9c4702d1484b8 | |
| parent | 1c34c09e536e9ef8fbb992559a82e51730ccf87f (diff) | |
omap2fb: Fix stack memory disclosure (bsc#1106929)
| -rw-r--r-- | patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch | 44 | ||||
| -rw-r--r-- | series.conf | 1 |
2 files changed, 45 insertions, 0 deletions
diff --git a/patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch b/patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch new file mode 100644 index 0000000000..5b491e79c5 --- /dev/null +++ b/patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch @@ -0,0 +1,44 @@ +From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001 +From: Vlad Tsyrklevich <vlad@tsyrklevich.net> +Date: Fri, 11 Jan 2019 14:34:38 +0100 +Subject: omap2fb: Fix stack memory disclosure +Git-commit: a01421e4484327fe44f8e126793ed5a48a221e24 +Patch-mainline: v5.0-rc3 +References: bsc#1106929 + +Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE, +OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO +cases could all leak uninitialized stack memory--either due to +uninitialized padding or 'reserved' fields. + +Fix them by clearing the shared union used to store copied out data. + +[1] https://github.com/vlad902/kernel-uninitialized-memory-checker + +Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net> +Reviewed-by: Kees Cook <keescook@chromium.org> +Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver") +Cc: security@kernel.org +[b.zolnierkie: prefix patch subject with "omap2fb: "] +Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> +Acked-by: Thomas Zimmermann <tzimmermann@suse.de> +--- + drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +index a3edb20ea4c3..a846d32ee653 100644 +--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c ++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg) + + int r = 0; + ++ memset(&p, 0, sizeof(p)); ++ + switch (cmd) { + case OMAPFB_SYNC_GFX: + DBG("ioctl SYNC_GFX\n"); +-- +2.20.1 + diff --git a/series.conf b/series.conf index 87c4adf418..5cd4957177 100644 --- a/series.conf +++ b/series.conf @@ -23875,6 +23875,7 @@ patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch patches.fixes/0001-drm-fb-helper-Ignore-the-value-of-fb_var_screeninfo..patch + patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch ######################################################## # end of sorted patches |