Home Home > GIT Browse > openSUSE-42.3
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Zimmermann <tzimmermann@suse.de>2019-01-21 11:37:12 +0100
committerThomas Zimmermann <tzimmermann@suse.de>2019-01-21 11:37:12 +0100
commit680011251883a2dbef37000af0066e00cc5e8dfe (patch)
tree4e43b0eebbcbe8d8ea8c1fd0d5b9c4702d1484b8
parent1c34c09e536e9ef8fbb992559a82e51730ccf87f (diff)
omap2fb: Fix stack memory disclosure (bsc#1106929)
-rw-r--r--patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch44
-rw-r--r--series.conf1
2 files changed, 45 insertions, 0 deletions
diff --git a/patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch b/patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch
new file mode 100644
index 0000000000..5b491e79c5
--- /dev/null
+++ b/patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch
@@ -0,0 +1,44 @@
+From a01421e4484327fe44f8e126793ed5a48a221e24 Mon Sep 17 00:00:00 2001
+From: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Date: Fri, 11 Jan 2019 14:34:38 +0100
+Subject: omap2fb: Fix stack memory disclosure
+Git-commit: a01421e4484327fe44f8e126793ed5a48a221e24
+Patch-mainline: v5.0-rc3
+References: bsc#1106929
+
+Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
+OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
+cases could all leak uninitialized stack memory--either due to
+uninitialized padding or 'reserved' fields.
+
+Fix them by clearing the shared union used to store copied out data.
+
+[1] https://github.com/vlad902/kernel-uninitialized-memory-checker
+
+Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Fixes: b39a982ddecf ("OMAP: DSS2: omapfb driver")
+Cc: security@kernel.org
+[b.zolnierkie: prefix patch subject with "omap2fb: "]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+---
+ drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+index a3edb20ea4c3..a846d32ee653 100644
+--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c
+@@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg)
+
+ int r = 0;
+
++ memset(&p, 0, sizeof(p));
++
+ switch (cmd) {
+ case OMAPFB_SYNC_GFX:
+ DBG("ioctl SYNC_GFX\n");
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 87c4adf418..5cd4957177 100644
--- a/series.conf
+++ b/series.conf
@@ -23875,6 +23875,7 @@
patches.fixes/0001-fbdev-fbmem-behave-better-with-small-rotated-display.patch
patches.fixes/0001-fbdev-fbcon-Fix-unregister-crash-when-more-than-one-.patch
patches.fixes/0001-drm-fb-helper-Ignore-the-value-of-fb_var_screeninfo..patch
+ patches.fixes/0001-omap2fb-Fix-stack-memory-disclosure.patch
########################################################
# end of sorted patches