| From 74c2b3080d17203a9bba14562146fba7f9004de1 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 26 Jun 2020 12:44:26 +0200 |
| Subject: cec-api: prevent leaking memory through hole in structure |
| |
| From: Hans Verkuil <hverkuil-cisco@xs4all.nl> |
| |
| [ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ] |
| |
| Fix this smatch warning: |
| |
| drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that 'log_addrs' doesn't leak information (struct has a hole after |
| 'features') |
| |
| Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/staging/media/cec/cec-api.c | 8 +++++++- |
| 1 file changed, 7 insertions(+), 1 deletion(-) |
| |
| diff --git a/drivers/staging/media/cec/cec-api.c b/drivers/staging/media/cec/cec-api.c |
| index e274e2f223986..264bb7d1efcb8 100644 |
| --- a/drivers/staging/media/cec/cec-api.c |
| +++ b/drivers/staging/media/cec/cec-api.c |
| @@ -141,7 +141,13 @@ static long cec_adap_g_log_addrs(struct cec_adapter *adap, |
| struct cec_log_addrs log_addrs; |
| |
| mutex_lock(&adap->lock); |
| - log_addrs = adap->log_addrs; |
| + /* |
| + * We use memcpy here instead of assignment since there is a |
| + * hole at the end of struct cec_log_addrs that an assignment |
| + * might ignore. So when we do copy_to_user() we could leak |
| + * one byte of memory. |
| + */ |
| + memcpy(&log_addrs, &adap->log_addrs, sizeof(log_addrs)); |
| if (!adap->is_configured) |
| memset(log_addrs.log_addr, CEC_LOG_ADDR_INVALID, |
| sizeof(log_addrs.log_addr)); |
| -- |
| 2.25.1 |
| |