Commit 1539fb9b authored Jun 18, 2014 by Zhaowei Yuan Committed by Dave Airlie Jun 25, 2014

drm: fix NULL pointer access by wrong ioctl



If user uses wrong ioctl command with _IOC_NONE and argument size
greater than 0, it can cause NULL pointer access from memset of line
463. If _IOC_NONE, don't memset to 0 for kdata.

Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>

parent a497c3ba

drivers/gpu/drm/drm_drv.c

100644 → 100755

+2 −1

Original line number	Diff line number	Diff line
		@@ -419,8 +419,9 @@ long drm_ioctl(struct file *filp,
		retcode = -EFAULT;
		goto err_i1;
		}
		} else
		} else if (cmd & IOC_OUT) {
		memset(kdata, 0, usize);
		}

		if (ioctl->flags & DRM_UNLOCKED)
		retcode = func(dev, kdata, file_priv);