Re: [PATCH v2] fbdev: potential information leak in do_fb_ioctl()

From: Bartlomiej Zolnierkiewicz
Date: Wed Jan 15 2020 - 09:31:35 EST



On 1/13/20 12:08 PM, Dan Carpenter wrote:
> The "fix" struct has a 2 byte hole after ->ywrapstep and the
> "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> on the compiler. The solution is just to replace the assignment with an
> memcpy().
>
> Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Patch queued for v5.6, thanks.

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics

> ---
> v2: Use memcpy()
>
> drivers/video/fbdev/core/fbmem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index d04554959ea7..bb8d8dbc0461 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1115,7 +1115,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> break;
> case FBIOGET_FSCREENINFO:
> lock_fb_info(info);
> - fix = info->fix;
> + memcpy(&fix, &info->fix, sizeof(fix));
> if (info->flags & FBINFO_HIDE_SMEM_START)
> fix.smem_start = 0;
> unlock_fb_info(info);
>