releases/4.14.177/fbdev-potential-information-leak-in-do_fb_ioctl.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From d3d19d6fc5736a798b118971935ce274f7deaa82 Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Mon, 13 Jan 2020 14:08:14 +0300
 Subject: fbdev: potential information leak in do_fb_ioctl()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.

 The "fix" struct has a 2 byte hole after ->ywrapstep and the
 "fix = info->fix;" assignment doesn't necessarily clear it.  It depends
 on the compiler.  The solution is just to replace the assignment with an
 memcpy().

 Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Cc: Andrew Morton <akpm@linux-foundation.org>
 Cc: Arnd Bergmann <arnd@arndb.de>
 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
 Cc: Andrea Righi <righi.andrea@gmail.com>
 Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
 Cc: Sam Ravnborg <sam@ravnborg.org>
 Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
 Cc: Daniel Thompson <daniel.thompson@linaro.org>
 Cc: Peter Rosin <peda@axentia.se>
 Cc: Jani Nikula <jani.nikula@intel.com>
 Cc: Gerd Hoffmann <kraxel@redhat.com>
 Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
 Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/video/fbdev/core/fbmem.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/drivers/video/fbdev/core/fbmem.c
 +++ b/drivers/video/fbdev/core/fbmem.c
 @@ -1134,7 +1134,7 @@ static long do_fb_ioctl(struct fb_info *
  	case FBIOGET_FSCREENINFO:
  		if (!lock_fb_info(info))
  			return -ENODEV;
 -		fix = info->fix;
 +		memcpy(&fix, &info->fix, sizeof(fix));
  		unlock_fb_info(info);

  		ret = copy_to_user(argp, &fix, sizeof(fix)) ? -EFAULT : 0;
	From d3d19d6fc5736a798b118971935ce274f7deaa82 Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Mon, 13 Jan 2020 14:08:14 +0300
	Subject: fbdev: potential information leak in do_fb_ioctl()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	commit d3d19d6fc5736a798b118971935ce274f7deaa82 upstream.

	The "fix" struct has a 2 byte hole after ->ywrapstep and the
	"fix = info->fix;" assignment doesn't necessarily clear it. It depends
	on the compiler. The solution is just to replace the assignment with an
	memcpy().

	Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Cc: Andrew Morton <akpm@linux-foundation.org>
	Cc: Arnd Bergmann <arnd@arndb.de>
	Cc: "Eric W. Biederman" <ebiederm@xmission.com>
	Cc: Andrea Righi <righi.andrea@gmail.com>
	Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
	Cc: Sam Ravnborg <sam@ravnborg.org>
	Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
	Cc: Daniel Thompson <daniel.thompson@linaro.org>
	Cc: Peter Rosin <peda@axentia.se>
	Cc: Jani Nikula <jani.nikula@intel.com>
	Cc: Gerd Hoffmann <kraxel@redhat.com>
	Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
	Link: https://patchwork.freedesktop.org/patch/msgid/20200113100132.ixpaymordi24n3av@kili.mountain
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/video/fbdev/core/fbmem.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- a/drivers/video/fbdev/core/fbmem.c
	+++ b/drivers/video/fbdev/core/fbmem.c
	@@ -1134,7 +1134,7 @@ static long do_fb_ioctl(struct fb_info *
	case FBIOGET_FSCREENINFO:
	if (!lock_fb_info(info))
	return -ENODEV;
	- fix = info->fix;
	+ memcpy(&fix, &info->fix, sizeof(fix));
	unlock_fb_info(info);

	ret = copy_to_user(argp, &fix, sizeof(fix)) ? -EFAULT : 0;