Author: emaste
Date: Wed Mar 21 23:51:14 2018
New Revision: 331333
URL: https://svnweb.freebsd.org/changeset/base/331333
Log:
Fix kernel memory disclosure in drm_infobufs
drm_infobufs() has a structure on the stack, fills it out and copies it
to userland. There are 2 elements in the struct that are not filled out
and left uninitialized. This will leak uninitialized kernel stack data
to userland.
Submitted by: Domagoj Stolfa <ds...@cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprun...@ioactive.com>
MFC after: 1 day
Security: Kernel memory disclosure (798)
Modified:
head/sys/dev/drm/drm_bufs.c
Modified: head/sys/dev/drm/drm_bufs.c
==============================================================================
--- head/sys/dev/drm/drm_bufs.c Wed Mar 21 23:50:46 2018 (r331332)
+++ head/sys/dev/drm/drm_bufs.c Wed Mar 21 23:51:14 2018 (r331333)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
+ memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
