[PATCH] fbdev: potential information leak in do_fb_ioctl()
Dan Carpenter
dan.carpenter at oracle.com
Tue Oct 29 18:23:20 UTC 2019
The "fix" struct has a 2 byte hole after ->ywrapstep and the
"fix = info->fix;" assignment doesn't necessarily clear it. It depends
on the compiler.
Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
---
I have 13 more similar places to patch... I'm not totally sure I
understand all the issues involved.
drivers/video/fbdev/core/fbmem.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index 6f6fc785b545..b4ce6a28aed9 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
ret = -EFAULT;
break;
case FBIOGET_FSCREENINFO:
+ memset(&fix, 0, sizeof(fix));
lock_fb_info(info);
fix = info->fix;
if (info->flags & FBINFO_HIDE_SMEM_START)
--
2.20.1
More information about the dri-devel
mailing list