Re: [PATCH v2 1/2] tty: fix compat TIOCGSERIAL leaking uninitialized memory
From: Greg Kroah-Hartman
Date: Wed Mar 18 2020 - 08:00:04 EST
On Mon, Mar 02, 2020 at 01:24:25PM -0800, Eric Biggers wrote:
> On Tue, Feb 25, 2020 at 08:30:35AM +0100, Jiri Slaby wrote:
> > On 24. 02. 20, 19:20, Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> > >
> > > Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into
> > > tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start
> > > copying a whole 'serial_struct32' to userspace rather than individual
> > > fields, but failed to initialize all padding and fields -- namely the
> > > hole after the 'iomem_reg_shift' field, and the 'reserved' field.
> > >
> > > Fix this by initializing the struct to zero.
> > >
> > > [v2: use sizeof, and convert the adjacent line for consistency.]
> > >
> > > Reported-by: syzbot+8da9175e28eadcb203ce@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()")
> > > Cc: <stable@xxxxxxxxxxxxxxx> # v4.20+
> > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> >
> > Acked-by: Jiri Slaby <jslaby@xxxxxxx>
> >
>
> Thanks. Greg, are you planning to take these patches?
Yes, sorry, they were not cc: linux-serial and fell through my initial
filters, to go into my generic "to-review" bucket. Will take them
now...
greg k-h