Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Zimmermann <tzimmermann@suse.de>2019-01-21 11:24:11 +0100
committerThomas Zimmermann <tzimmermann@suse.de>2019-01-21 11:24:11 +0100
commiteef0a2f40a22f8ca1bf0f922125af6d0c07194c0 (patch)
tree6c2ad1d2990e0d81af503ff9a39132f275647331
parentfc802aa9ca4043004f582d78235815548696fd5c (diff)
omap2fb: Fix stack memory disclosure (bsc#1120902)
-rw-r--r--patches.drm/0002-omap2fb-Fix-stack-memory-disclosure.patch44
-rw-r--r--series.conf1
2 files changed, 45 insertions, 0 deletions
diff --git a/patches.drm/0002-omap2fb-Fix-stack-memory-disclosure.patch b/patches.drm/0002-omap2fb-Fix-stack-memory-disclosure.patch
new file mode 100644
index 0000000000..bce650331e
--- /dev/null
+++ b/patches.drm/0002-omap2fb-Fix-stack-memory-disclosure.patch
@@ -0,0 +1,44 @@
+From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Fri, 11 Jan 2019 14:34:38 +0100
+Subject: omap2fb: Fix stack memory disclosure
+Git-commit: a01421e4484327fe44f8e126793ed5a48a221e24
+Patch-mainline: v5.0-rc3
+References: bsc#1120902
+
+Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
+OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
+cases could all leak uninitialized stack memory--either due to
+uninitialized padding or 'reserved' fields.
+
+Fix them by clearing the shared union used to store copied out data.
+
+[1] https://github.com/vlad902/kernel-uninitialized-memory-checker
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
+Cc: security@kernel.org
+[b.zolnierkie: prefix patch subject with "omap2fb: "]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+index a3edb20ea4c3..a846d32ee653 100644
+--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg)
+
+ int r = 0;
+
++ memset(&p, 0, sizeof(p));
++
+ switch (cmd) {
+ case OMAPFB_SYNC_GFX:
+ DBG("ioctl SYNC_GFX\n");
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 80b7df7ac3..35565e4c7f 100644
--- a/series.conf
+++ b/series.conf
@@ -19745,6 +19745,7 @@
patches.fixes/kvm-sev-fail-kvm_sev_init-if-already-initialized.patch
patches.drivers/tty-Don-t-hold-ldisc-lock-in-tty_reopen-if-ldisc-pre.patch
patches.drm/0001-drm-i915-gvt-Fix-mmap-range-check.patch
+ patches.drm/0002-omap2fb-Fix-stack-memory-disclosure.patch
# dhowells/linux-fs keys-uefi
patches.suse/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch