| From fd02db9de73faebc51240619c7c7f99bee9f65c7 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Wed, 22 Sep 2010 13:05:09 -0700 |
| Subject: drivers/video/sis/sis_main.c: prevent reading uninitialized stack memory |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit fd02db9de73faebc51240619c7c7f99bee9f65c7 upstream. |
| |
| The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes |
| of uninitialized stack memory, because the "reserved" member of the |
| fb_vblank struct declared on the stack is not altered or zeroed before |
| being copied back to the user. This patch takes care of it. |
| |
| Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> |
| Cc: Thomas Winischhofer <thomas@winischhofer.net> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/video/sis/sis_main.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/drivers/video/sis/sis_main.c |
| +++ b/drivers/video/sis/sis_main.c |
| @@ -1701,6 +1701,9 @@ static int sisfb_ioctl(struct fb_info *i |
| break; |
| |
| case FBIOGET_VBLANK: |
| + |
| + memset(&sisvbblank, 0, sizeof(struct fb_vblank)); |
| + |
| sisvbblank.count = 0; |
| sisvbblank.flags = sisfb_setupvbblankflags(ivideo, &sisvbblank.vcount, &sisvbblank.hcount); |
| |
