| From b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Wed, 15 Sep 2010 19:08:24 -0400 |
| Subject: drivers/video/via/ioctl.c: prevent reading uninitialized stack memory |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit b4aaa78f4c2f9cde2f335b14f4ca30b01f9651ca upstream. |
| |
| The VIAFB_GET_INFO device ioctl allows unprivileged users to read 246 |
| bytes of uninitialized stack memory, because the "reserved" member of |
| the viafb_ioctl_info struct declared on the stack is not altered or |
| zeroed before being copied back to the user. This patch takes care of |
| it. |
| |
| Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/video/via/ioctl.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/drivers/video/via/ioctl.c |
| +++ b/drivers/video/via/ioctl.c |
| @@ -25,6 +25,8 @@ int viafb_ioctl_get_viafb_info(u_long ar |
| { |
| struct viafb_ioctl_info viainfo; |
| |
| + memset(&viainfo, 0, sizeof(struct viafb_ioctl_info)); |
| + |
| viainfo.viafb_id = VIAID; |
| viainfo.vendor_id = PCI_VIA_VENDOR_ID; |
| |