Hi
On Wed, Jun 18, 2014 at 8:33 AM, Zhaowei Yuan <zhaowei.yuan@xxxxxxxxxxx> wrote:
> If user uses wrong ioctl command with _IOC_NONE and argument size
> greater than 0, it can cause NULL pointer access from memset of line
> 463. If _IOC_NONE, don't memset to 0 for kdata.
>
> Signed-off-by: Zhaowei Yuan <zhaowei.yuan@xxxxxxxxxxx>
Reviewed-by: David Herrmann <dh.herrmann@xxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
@Dave: Imo, this should go through stable. We initialize "kdata" to
NULL, but "usize" can be up to 2^14, so it might write to real memory
there. Most systems probably reserve the lower 64KB and the first
write on the NULL-page should kill the process and have no other
side-effects, however, who knows how memset() is implemented on
different architectures. It might start writing at the end.. or might
issue large writes.. what do I know..
Thanks
David
> ---
> drivers/gpu/drm/drm_drv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> mode change 100644 => 100755 drivers/gpu/drm/drm_drv.c
>
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> old mode 100644
> new mode 100755
> index 2ab782c..1a92bcb
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -459,8 +459,9 @@ long drm_ioctl(struct file *filp,
> retcode = -EFAULT;
> goto err_i1;
> }
> - } else
> + } else if (cmd & IOC_OUT) {
> memset(kdata, 0, usize);
> + }
>
> if (ioctl->flags & DRM_UNLOCKED)
> retcode = func(dev, kdata, file_priv);
> --
> 1.7.9.5
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
