Re: [PATCH v2 1/2] tty: fix compat TIOCGSERIAL leaking uninitialized memory

From: Eric Biggers
Date: Mon Mar 02 2020 - 16:24:28 EST


On Tue, Feb 25, 2020 at 08:30:35AM +0100, Jiri Slaby wrote:
> On 24. 02. 20, 19:20, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> >
> > Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into
> > tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start
> > copying a whole 'serial_struct32' to userspace rather than individual
> > fields, but failed to initialize all padding and fields -- namely the
> > hole after the 'iomem_reg_shift' field, and the 'reserved' field.
> >
> > Fix this by initializing the struct to zero.
> >
> > [v2: use sizeof, and convert the adjacent line for consistency.]
> >
> > Reported-by: syzbot+8da9175e28eadcb203ce@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()")
> > Cc: <stable@xxxxxxxxxxxxxxx> # v4.20+
> > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Acked-by: Jiri Slaby <jslaby@xxxxxxx>
>

Thanks. Greg, are you planning to take these patches?

- Eric