[RFC v2 02/10] pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace

Next message: Fidelio Lawson: "[PATCH v2] net: dsa: microchip: implement KSZ87xx Module 3 low-loss cable errata"
Previous message: Ritesh Harjani (IBM): "[RFC v2 00/10] pseries/papr-hvpipe: Fix deadlock, races and misc cleanups"
In reply to: Ritesh Harjani (IBM): "[RFC v2 00/10] pseries/papr-hvpipe: Fix deadlock, races and misc cleanups"
Next in thread: Ritesh Harjani (IBM): "[RFC v2 04/10] pseries/papr-hvpipe: Fix the usage of copy_to_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ritesh Harjani (IBM)

Date: Wed Apr 08 2026 - 08:04:17 EST

The hdr variable is allocated on the stack and only hdr.version and
hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr
contains reserved padding bytes (reserved[3] and reserved2[40]), these
could leak the uninitialized bytes to userspace after copy_to_user().

This patch fixes that by initializing the whole struct to 0.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 814ef095f12c9 ("powerpc/pseries: Add papr-hvpipe char driver for HVPIPE interfaces")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@xxxxxxxxx>
---
arch/powerpc/platforms/pseries/papr-hvpipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c
index c41d45e1986d..3392874ebdf6 100644
--- a/arch/powerpc/platforms/pseries/papr-hvpipe.c
+++ b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,
{

struct hvpipe_source_info *src_info = file->private_data;
- struct papr_hvpipe_hdr hdr;
+ struct papr_hvpipe_hdr hdr = {};
long ret;

/*
--
2.39.5