[patch] vmwgfx: information leak in vmw_execbuf_copy_fence_user()

Thomas Hellstrom thellstrom at vmware.com
Mon Oct 17 23:38:22 PDT 2011


On 10/18/2011 08:10 AM, Dan Carpenter wrote:
> If ret is non-zero then we don't initialize the struct which leaks
> stack information to user space.
>
> Signed-off-by: Dan Carpenter<dan.carpenter at oracle.com>
>    

Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>

> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> index d4a1d8b..28e1c35 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
> @@ -1070,6 +1070,8 @@ vmw_execbuf_copy_fence_user(struct vmw_private *dev_priv,
>   	if (user_fence_rep == NULL)
>   		return;
>
> +	memset(&fence_rep, 0, sizeof(fence_rep));
> +
>   	fence_rep.error = ret;
>   	if (ret == 0) {
>   		BUG_ON(fence == NULL);
>    



More information about the dri-devel mailing list