svn commit: r331333 - head/sys/dev/drm
Ed Maste
emaste at FreeBSD.org
Wed Mar 21 23:51:15 UTC 2018
Author: emaste
Date: Wed Mar 21 23:51:14 2018
New Revision: 331333
URL: https://svnweb.freebsd.org/changeset/base/331333
Log:
Fix kernel memory disclosure in drm_infobufs
drm_infobufs() has a structure on the stack, fills it out and copies it
to userland. There are 2 elements in the struct that are not filled out
and left uninitialized. This will leak uninitialized kernel stack data
to userland.
Submitted by: Domagoj Stolfa <ds815 at cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 1 day
Security: Kernel memory disclosure (798)
Modified:
head/sys/dev/drm/drm_bufs.c
Modified: head/sys/dev/drm/drm_bufs.c
==============================================================================
--- head/sys/dev/drm/drm_bufs.c Wed Mar 21 23:50:46 2018 (r331332)
+++ head/sys/dev/drm/drm_bufs.c Wed Mar 21 23:51:14 2018 (r331333)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
+ memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;
More information about the svn-src-all
mailing list