[PATCH v2] fbdev: potential information leak in do_fb_ioctl()
Bartlomiej Zolnierkiewicz
b.zolnierkie at samsung.com
Wed Jan 15 14:31:29 UTC 2020
On 1/13/20 12:08 PM, Dan Carpenter wrote:
> The "fix" struct has a 2 byte hole after ->ywrapstep and the
> "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> on the compiler. The solution is just to replace the assignment with an
> memcpy().
>
> Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Patch queued for v5.6, thanks.
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
> ---
> v2: Use memcpy()
>
> drivers/video/fbdev/core/fbmem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index d04554959ea7..bb8d8dbc0461 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1115,7 +1115,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> break;
> case FBIOGET_FSCREENINFO:
> lock_fb_info(info);
> - fix = info->fix;
> + memcpy(&fix, &info->fix, sizeof(fix));
> if (info->flags & FBINFO_HIDE_SMEM_START)
> fix.smem_start = 0;
> unlock_fb_info(info);
>
More information about the dri-devel
mailing list