driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak

From: sohu0106
Date: Thu Aug 03 2017 - 10:02:43 EST





driver/video/fbdev/aty/atyfb_base.c
In atyfb_ioctl() structure atyclk is copied to userland with padding bytes after "vclk_post_div" field unitialized. It leads to leaking of contents of kernel stack memory.



3 Âdrivers/video/fbdev/aty/atyfb_base.c
Â@@ -1857,6 +1857,9 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
 if (M64_HAS(INTEGRATED)) {
 struct atyclk clk;
 union aty_pll *pll = &par->pll;
Â+
Â+ memset( &clk, 0, sizeof(struct atyclk) );
Â+
 u32 dsp_config = pll->ct.dsp_config;
 u32 dsp_on_off = pll->ct.dsp_on_off;
 clk.ref_clk_per = par->ref_clk_per;


Â