Skip to content

Commit e926c47

Browse files
danvetdanvet
committed
drm/compat: Clear bounce structures
Some of them have gaps, or fields we don't clear. Native ioctl code does full copies plus zero-extends on size mismatch, so nothing can leak. But compat is more hand-rolled so need to be careful. None of these matter for performance, so just memset. Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those are security holes anyway. Acked-by: Maxime Ripard <[email protected]> Reported-by: [email protected] # vblank ioctl Cc: [email protected] Cc: [email protected] Signed-off-by: Daniel Vetter <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
1 parent 19bafac commit e926c47

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

drivers/gpu/drm/drm_ioc32.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,8 @@ static int compat_drm_version(struct file *file, unsigned int cmd,
9999
if (copy_from_user(&v32, (void __user *)arg, sizeof(v32)))
100100
return -EFAULT;
101101

102+
memset(&v, 0, sizeof(v));
103+
102104
v = (struct drm_version) {
103105
.name_len = v32.name_len,
104106
.name = compat_ptr(v32.name),
@@ -137,6 +139,9 @@ static int compat_drm_getunique(struct file *file, unsigned int cmd,
137139

138140
if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32)))
139141
return -EFAULT;
142+
143+
memset(&uq, 0, sizeof(uq));
144+
140145
uq = (struct drm_unique){
141146
.unique_len = uq32.unique_len,
142147
.unique = compat_ptr(uq32.unique),
@@ -265,6 +270,8 @@ static int compat_drm_getclient(struct file *file, unsigned int cmd,
265270
if (copy_from_user(&c32, argp, sizeof(c32)))
266271
return -EFAULT;
267272

273+
memset(&client, 0, sizeof(client));
274+
268275
client.idx = c32.idx;
269276

270277
err = drm_ioctl_kernel(file, drm_getclient, &client, 0);
@@ -852,6 +859,8 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
852859
if (copy_from_user(&req32, argp, sizeof(req32)))
853860
return -EFAULT;
854861

862+
memset(&req, 0, sizeof(req));
863+
855864
req.request.type = req32.request.type;
856865
req.request.sequence = req32.request.sequence;
857866
req.request.signal = req32.request.signal;
@@ -889,6 +898,8 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd,
889898
struct drm_mode_fb_cmd2 req64;
890899
int err;
891900

901+
memset(&req64, 0, sizeof(req64));
902+
892903
if (copy_from_user(&req64, argp,
893904
offsetof(drm_mode_fb_cmd232_t, modifier)))
894905
return -EFAULT;

0 commit comments

Comments
 (0)