release/5.2.42/fbdev-potential-information-leak-in-do_fb_ioctl.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 3bbedd01ed264662b00abe6e8c192c34203d1d48 Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Mon, 13 Jan 2020 14:08:14 +0300
 Subject: [PATCH] fbdev: potential information leak in do_fb_ioctl()

 commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.

 The "fix" struct has a 2 byte hole after ->ywrapstep and the
 "fix = info->fix;" assignment doesn't necessarily clear it.  It depends
 on the compiler.  The solution is just to replace the assignment with an
 memcpy().

 Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Cc: Andrew Morton <akpm@linux-foundation.org>
 Cc: Arnd Bergmann <arnd@arndb.de>
 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
 Cc: Andrea Righi <righi.andrea@gmail.com>
 Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
 Cc: Sam Ravnborg <sam@ravnborg.org>
 Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
 Cc: Daniel Thompson <daniel.thompson@linaro.org>
 Cc: Peter Rosin <peda@axentia.se>
 Cc: Jani Nikula <jani.nikula@intel.com>
 Cc: Gerd Hoffmann <kraxel@redhat.com>
 Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
 Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
 index d1949c92be98..43a55a22c33d 100644
 --- a/drivers/video/fbdev/core/fbmem.c
 +++ b/drivers/video/fbdev/core/fbmem.c
 @@ -1147,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
  	case FBIOGET_FSCREENINFO:
  		if (!lock_fb_info(info))
  			return -ENODEV;
 -		fix = info->fix;
 +		memcpy(&fix, &info->fix, sizeof(fix));
  		if (info->flags & FBINFO_HIDE_SMEM_START)
  			fix.smem_start = 0;
  		unlock_fb_info(info);
 --
 2.7.4
	From 3bbedd01ed264662b00abe6e8c192c34203d1d48 Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Mon, 13 Jan 2020 14:08:14 +0300
	Subject: [PATCH] fbdev: potential information leak in do_fb_ioctl()

	commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.

	The "fix" struct has a 2 byte hole after ->ywrapstep and the
	"fix = info->fix;" assignment doesn't necessarily clear it. It depends
	on the compiler. The solution is just to replace the assignment with an
	memcpy().

	Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Cc: Andrew Morton <akpm@linux-foundation.org>
	Cc: Arnd Bergmann <arnd@arndb.de>
	Cc: "Eric W. Biederman" <ebiederm@xmission.com>
	Cc: Andrea Righi <righi.andrea@gmail.com>
	Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
	Cc: Sam Ravnborg <sam@ravnborg.org>
	Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
	Cc: Daniel Thompson <daniel.thompson@linaro.org>
	Cc: Peter Rosin <peda@axentia.se>
	Cc: Jani Nikula <jani.nikula@intel.com>
	Cc: Gerd Hoffmann <kraxel@redhat.com>
	Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
	Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
	index d1949c92be98..43a55a22c33d 100644
	--- a/drivers/video/fbdev/core/fbmem.c
	+++ b/drivers/video/fbdev/core/fbmem.c
	@@ -1147,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
	case FBIOGET_FSCREENINFO:
	if (!lock_fb_info(info))
	return -ENODEV;
	- fix = info->fix;
	+ memcpy(&fix, &info->fix, sizeof(fix));
	if (info->flags & FBINFO_HIDE_SMEM_START)
	fix.smem_start = 0;
	unlock_fb_info(info);
	--
	2.7.4