Fix kernel memory disclosure in drm_infobufs

drm_infobufs() has a structure on the stack, fills it out and copies it to userland. There are 2 elements in the struct that are not filled out and left uninitialized. This will leak uninitialized kernel stack data to userland. Submitted by: Domagoj Stolfa <ds815@cam.ac.uk> Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 1 day Security: Kernel memory disclosure (798)
2018-03-21 23:51:14 +00:00 · 2018-03-21 23:51:14 +00:00 · 819725ff5d
commit 819725ff5d
parent 9267ddfb50
1 changed files with 1 additions and 0 deletions
--- a/sys/dev/drm/drm_bufs.c
+++ b/sys/dev/drm/drm_bufs.c
@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, struct drm_file *file_priv)
 			if (dma->bufs[i].buf_count) {
 				struct drm_buf_desc from;

+				memset(&from, 0, sizeof(from));
 				from.count = dma->bufs[i].buf_count;
 				from.size = dma->bufs[i].buf_size;
 				from.low_mark = dma->bufs[i].freelist.low_mark;