From patchwork Sun Jan 6 07:54:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Tsyrklevich X-Patchwork-Id: 10749465 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DD2E191E for ; Sun, 6 Jan 2019 07:51:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7EC9287FE for ; Sun, 6 Jan 2019 07:51:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BBA89288AD; Sun, 6 Jan 2019 07:51:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4DD90287FE for ; Sun, 6 Jan 2019 07:51:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726388AbfAFHvy (ORCPT ); Sun, 6 Jan 2019 02:51:54 -0500 Received: from mail-pf1-f194.google.com ([209.85.210.194]:33612 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726368AbfAFHvy (ORCPT ); Sun, 6 Jan 2019 02:51:54 -0500 Received: by mail-pf1-f194.google.com with SMTP id c123so20318616pfb.0 for ; Sat, 05 Jan 2019 23:51:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=Hn1FodOOSUdPCRSxuFlLgcpfpngcW13h7Y69Ay5A1Ps=; b=FeOqIf2dfXf3+AtC5P0JUR7OcJ7zEGcwfbKjJRrZy3e1f/Snpf4OlSyEgbrjMp4u+l 3ZFKLYJJSDAfh/oQVLwnnajosk7of21ovWwNuNJ55dWuM0j/55obAtMie14ZUdP6xSDP Nq198pC0bkT6pnhuY1u7E9BwnNnfxV9kCGHGYYW4HgufOmPs7PkuMJYMJv+7BaXHTxdC 7lMOC0gPda37nZ8jVwEc7qWJZnBfjgMpVWtQtLei6lL9n/jz66NMNgqUWSly3TMh9Wah iDEzZRhUabOqvo1lMAsfsud0Q2Jke6wj1jSz9J82rZMNB9Uygs7A2MlP3rq3T+dzMO6O Mqdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=Hn1FodOOSUdPCRSxuFlLgcpfpngcW13h7Y69Ay5A1Ps=; b=KAoGeMP4V255XwKmwTIMsRXHsZHaaMZEyMvvbAFauPGZ7HFh4Acs3UKnKnysFjzC/O gvadbPbmXy1yQyp7qr46FJKbNe2qn693yAt8sKlMurORSKytxqzCyFaVxk+e/tLXU9wd vdhGBRvgX6ktol8s9UxcM9hfFZRbJjWSBAHQpX7rNtjGKQ0qyy1hHnVV3qAobCdbiX8Q qCuhDyI+7pX6S/2CsmtPds0DprOUVD9yuPkSFsXq60ULEM0bvFRfMLFdJf4QfC2HalWN dBRqc4VSiDI8PxlTRQDdKxcagneQcNnjZYse1VZrAj44jD9nzdQFpbx/jtz4HiqDkLcD YQ7Q== X-Gm-Message-State: AJcUukcu2WUgsM/J8oH5QfQvNLtCcz4EZdvHw9kCXY4MWBuXq29/sQQK sFTUmQpsWKaOZuZ6YGS5hdSkwlyflRE= X-Google-Smtp-Source: ALg8bN5Fc3Gn9YBY75q/+mwDuCQWdv5nAioofVvo09Ee5xjCyC4lMH9jREKLXLQ9QLu3Q7aTRME2iA== X-Received: by 2002:a63:89c2:: with SMTP id v185mr6576512pgd.97.1546761112345; Sat, 05 Jan 2019 23:51:52 -0800 (PST) Received: from localhost.localdomain (76-14-117-200.rk.wavecable.com. [76.14.117.200]) by smtp.gmail.com with ESMTPSA id w5sm83015088pfn.89.2019.01.05.23.51.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 05 Jan 2019 23:51:51 -0800 (PST) From: Vlad Tsyrklevich To: linux-fbdev@vger.kernel.org Cc: Vlad Tsyrklevich , security@kernel.org Subject: [PATCH] Fix stack memory disclosure Date: Sat, 5 Jan 2019 23:54:08 -0800 Message-Id: <20190106075408.58405-1-vlad@tsyrklevich.net> X-Mailer: git-send-email 2.17.0 Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE, OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO cases could all leak uninitialized stack memory--either due to uninitialized padding or 'reserved' fields. Fix them by clearing the shared union used to store copied out data. [1] https://github.com/vlad902/kernel-uninitialized-memory-checker Signed-off-by: Vlad Tsyrklevich Cc: security@kernel.org Reviewed-by: Kees Cook --- drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c index 53f93616c..8e23160ec 100644 --- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c @@ -609,6 +609,8 @@ int omapfb_ioctl(struct fb_info *fbi, unsigned int cmd, unsigned long arg) int r = 0; + memset(&p, 0, sizeof(p)); + switch (cmd) { case OMAPFB_SYNC_GFX: DBG("ioctl SYNC_GFX\n");