diff mbox series

[SRU,Zesty,1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Message ID 20171207135017.4754-3-kleber.souza@canonical.com
State New
Headers show
Series [SRU,Zesty,1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace | expand

Commit Message

Kleber Sacilotto de Souza Dec. 7, 2017, 1:50 p.m. UTC
From: Vladis Dronov <vdronov@redhat.com>

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <sohu0106@126.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>

CVE-2017-14156
(cherry picked from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 drivers/video/fbdev/aty/atyfb_base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Colin Ian King Dec. 7, 2017, 1:53 p.m. UTC | #1
On 07/12/17 13:50, Kleber Sacilotto de Souza wrote:
> From: Vladis Dronov <vdronov@redhat.com>
> 
> 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
> field unitialized, leaking data from the stack. Fix this ensuring all of
> 'clk' is initialized to zero.
> 
> References: https://github.com/torvalds/linux/pull/441
> Reported-by: sohu0106 <sohu0106@126.com>
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> 
> CVE-2017-14156
> (cherry picked from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
> ---
>  drivers/video/fbdev/aty/atyfb_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 11026e726b68..81367cf0af77 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
>  #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
>  	case ATYIO_CLKR:
>  		if (M64_HAS(INTEGRATED)) {
> -			struct atyclk clk;
> +			struct atyclk clk = { 0 };
>  			union aty_pll *pll = &par->pll;
>  			u32 dsp_config = pll->ct.dsp_config;
>  			u32 dsp_on_off = pll->ct.dsp_on_off;
> 

Clean cherry pick, looks OK to me.

Acked-by: Colin Ian King <colin.king@canonical.com>
Stefan Bader Dec. 12, 2017, 9:49 a.m. UTC | #2
On 07.12.2017 13:50, Kleber Sacilotto de Souza wrote:
> From: Vladis Dronov <vdronov@redhat.com>
> 
> 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
> field unitialized, leaking data from the stack. Fix this ensuring all of
> 'clk' is initialized to zero.
> 
> References: https://github.com/torvalds/linux/pull/441
> Reported-by: sohu0106 <sohu0106@126.com>
> Signed-off-by: Vladis Dronov <vdronov@redhat.com>
> Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
> 
> CVE-2017-14156
> (cherry picked from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>

> ---
>  drivers/video/fbdev/aty/atyfb_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 11026e726b68..81367cf0af77 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
>  #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
>  	case ATYIO_CLKR:
>  		if (M64_HAS(INTEGRATED)) {
> -			struct atyclk clk;
> +			struct atyclk clk = { 0 };
>  			union aty_pll *pll = &par->pll;
>  			u32 dsp_config = pll->ct.dsp_config;
>  			u32 dsp_on_off = pll->ct.dsp_on_off;
>
Thadeu Lima de Souza Cascardo Dec. 13, 2017, 8:28 a.m. UTC | #3
Applied to zesty master-next branch.

Thanks.
Cascardo.

Applied-to: zesty/master-next
Thadeu Lima de Souza Cascardo Dec. 13, 2017, 8:28 a.m. UTC | #4
Applied to zesty master-next branch.

Thanks.
Cascardo.

Applied-to: zesty/master-next
diff mbox series

Patch

diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
index 11026e726b68..81367cf0af77 100644
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -1861,7 +1861,7 @@  static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
 #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
 	case ATYIO_CLKR:
 		if (M64_HAS(INTEGRATED)) {
-			struct atyclk clk;
+			struct atyclk clk = { 0 };
 			union aty_pll *pll = &par->pll;
 			u32 dsp_config = pll->ct.dsp_config;
 			u32 dsp_on_off = pll->ct.dsp_on_off;