Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e8cd674e authored by Daniel Vetter's avatar Daniel Vetter Committed by Greg Kroah-Hartman
Browse files

drm/compat: Clear bounce structures 



commit de066e116306baf3a6a62691ac63cfc0b1dabddb upstream.

Some of them have gaps, or fields we don't clear. Native ioctl code
does full copies plus zero-extends on size mismatch, so nothing can
leak. But compat is more hand-rolled so need to be careful.

None of these matter for performance, so just memset.

Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those
are security holes anyway.

Acked-by: default avatarMaxime Ripard <mripard@kernel.org>
Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl
Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch


(cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7)
Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 21d62e81

drivers/gpu/drm/drm_ioc32.c

+11 −0
Original line number Diff line number Diff line
@@ -96,6 +96,8 @@ static int compat_drm_version(struct file *file, unsigned int cmd, 
	if (copy_from_user(&v32, (void __user *)arg, sizeof(v32)))

		return -EFAULT;



	memset(&v, 0, sizeof(v));



	v = (struct drm_version) {

		.name_len = v32.name_len,

		.name = compat_ptr(v32.name),
@@ -134,6 +136,9 @@ static int compat_drm_getunique(struct file *file, unsigned int cmd, 


	if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32)))

		return -EFAULT;



	memset(&uq, 0, sizeof(uq));



	uq = (struct drm_unique){

		.unique_len = uq32.unique_len,

		.unique = compat_ptr(uq32.unique),
@@ -260,6 +265,8 @@ static int compat_drm_getclient(struct file *file, unsigned int cmd, 
	if (copy_from_user(&c32, argp, sizeof(c32)))

		return -EFAULT;



	memset(&client, 0, sizeof(client));



	client.idx = c32.idx;



	err = drm_ioctl_kernel(file, drm_getclient, &client, DRM_UNLOCKED);
@@ -842,6 +849,8 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd, 
	if (copy_from_user(&req32, argp, sizeof(req32)))

		return -EFAULT;



	memset(&req, 0, sizeof(req));



	req.request.type = req32.request.type;

	req.request.sequence = req32.request.sequence;

	req.request.signal = req32.request.signal;
@@ -879,6 +888,8 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd, 
	struct drm_mode_fb_cmd2 req64;

	int err;



	memset(&req64, 0, sizeof(req64));



	if (copy_from_user(&req64, argp,

			   offsetof(drm_mode_fb_cmd232_t, modifier)))

		return -EFAULT;