On 2014-06-18 08:33 +0200, Zhaowei Yuan wrote:
> If user uses wrong ioctl command with _IOC_NONE and argument size
> greater than 0, it can cause NULL pointer access from memset of line
> 463. If _IOC_NONE, don't memset to 0 for kdata.
>
> Signed-off-by: Zhaowei Yuan <zhaowei.yuan@xxxxxxxxxxx>
> ---
> drivers/gpu/drm/drm_drv.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
> mode change 100644 => 100755 drivers/gpu/drm/drm_drv.c
The mode change certainly was not intentional, was it? Just noticed it
when I pulled 3.16-rc3 from Linus…
> diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
> old mode 100644
> new mode 100755
> index 2ab782c..1a92bcb
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -459,8 +459,9 @@ long drm_ioctl(struct file *filp,
> retcode = -EFAULT;
> goto err_i1;
> }
> - } else
> + } else if (cmd & IOC_OUT) {
> memset(kdata, 0, usize);
> + }
>
> if (ioctl->flags & DRM_UNLOCKED)
> retcode = func(dev, kdata, file_priv);
Cheers,
Sven
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
