From: Julia Lawall <Julia.Lawall@xxxxxxx>
The c32 structure is allocated on the stack and its idx field is not
initialized before copying it to user level. This patch takes the value
from the result of the ioctl, as done for the other fields.
Signed-off-by: Julia Lawall <Julia.Lawall@xxxxxxx>
---
An alternative would be to change the earlier code
if (get_user(idx, &argp->idx))
return -EFAULT;
to write into the c32 structure, rather than into the local idx variable.
This would be more similar to what is done in compat_drm_version.
drivers/gpu/drm/drm_ioc32.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index ddd70db..637fcc3 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -315,7 +315,8 @@ static int compat_drm_getclient(struct file *file, unsigned int cmd,
if (err)
return err;
- if (__get_user(c32.auth, &client->auth)
+ if (__get_user(c32.idx, &client->idx)
+ || __get_user(c32.auth, &client->auth)
|| __get_user(c32.pid, &client->pid)
|| __get_user(c32.uid, &client->uid)
|| __get_user(c32.magic, &client->magic)
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
