driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak

From: sohu0106
Date: Thu Aug 03 2017 - 10:02:43 EST

Next message: Liviu Dudau: "Re: [PATCH 02/29] drm: mali-dp: switch to drm_*{get,put} helpers"
Previous message: Peter Zijlstra: "Re: [PATCH v6 2/3]: perf/core: use context tstamp_data for skipped events on mux interrupt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

driver/video/fbdev/aty/atyfb_base.c
In atyfb_ioctl() structure atyclk is copied to userland with padding bytes after "vclk_post_div" field unitialized. It leads to leaking of contents of kernel stack memory.

3 Âdrivers/video/fbdev/aty/atyfb_base.c
Â@@ -1857,6 +1857,9 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
Â if (M64_HAS(INTEGRATED)) {
Â struct atyclk clk;
Â union aty_pll *pll = &par->pll;
Â+
Â+ memset( &clk, 0, sizeof(struct atyclk) );
Â+
Â u32 dsp_config = pll->ct.dsp_config;
Â u32 dsp_on_off = pll->ct.dsp_on_off;
Â clk.ref_clk_per = par->ref_clk_per;

Â

Next message: Liviu Dudau: "Re: [PATCH 02/29] drm: mali-dp: switch to drm_*{get,put} helpers"
Previous message: Peter Zijlstra: "Re: [PATCH v6 2/3]: perf/core: use context tstamp_data for skipped events on mux interrupt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]