| From b09749a98e57f91d10487e9e76f315b609f07efe Mon Sep 17 00:00:00 2001 |
| From: Peilin Ye <yepeilin.cs@gmail.com> |
| Date: Tue, 28 Jul 2020 15:29:24 -0400 |
| Subject: [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| commit 543e8669ed9bfb30545fd52bc0e047ca4df7fb31 upstream. |
| |
| Compiler leaves a 4-byte hole near the end of `dev_info`, causing |
| amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace |
| when `size` is greater than 356. |
| |
| In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which |
| unfortunately does not initialize that 4-byte hole. Fix it by using |
| memset() instead. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") |
| Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") |
| Suggested-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Reviewed-by: Christian Kรถnig <christian.koenig@amd.com> |
| Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> |
| Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c |
| index b3c9ab4e4a55..fe42c6b5849d 100644 |
| --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c |
| +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c |
| @@ -653,9 +653,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file |
| return n ? -EFAULT : 0; |
| } |
| case AMDGPU_INFO_DEV_INFO: { |
| - struct drm_amdgpu_info_device dev_info = {}; |
| + struct drm_amdgpu_info_device dev_info; |
| uint64_t vm_size; |
| |
| + memset(&dev_info, 0, sizeof(dev_info)); |
| dev_info.device_id = dev->pdev->device; |
| dev_info.chip_rev = adev->rev_id; |
| dev_info.external_rev = adev->external_rev_id; |
| -- |
| 2.27.0 |
| |