From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Hellstrom Date: Mon, 08 Nov 2010 15:40:59 +0000 Subject: Re: [PATCH] gpu: drm: vmwgfx: fix information leak to userland Message-Id: <4CD81A0B.30209@vmware.com> List-Id: References: <1289054477-18100-1-git-send-email-segooon@gmail.com> In-Reply-To: <1289054477-18100-1-git-send-email-segooon@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Vasiliy Kulikov Cc: Dan Carpenter , "kernel-janitors@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "dri-devel@lists.freedesktop.org" , Jerome Glisse , Dave Airlie On 11/06/2010 03:41 PM, Vasiliy Kulikov wrote: > Structure drm_vmw_fence_rep is copied to userland with field "pad64" > uninitialized. It leads to leaking of contents of kernel stack memory. > > Signed-off-by: Vasiliy Kulikov > --- > Compile tested. > > drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > index 51d9f9f..76954e3 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > @@ -691,6 +691,7 @@ int vmw_execbuf_ioctl(struct drm_device *dev, void *data, > > fence_rep.error = ret; > fence_rep.fence_seq = (uint64_t) sequence; > + fence_rep.pad64 = 0; > > user_fence_rep = (struct drm_vmw_fence_rep __user *) > (unsigned long)arg->fence_rep; > Reviewed-by: Thomas Hellstrom From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752662Ab0KHPlP (ORCPT ); Mon, 8 Nov 2010 10:41:15 -0500 Received: from smtp-outbound-1.vmware.com ([65.115.85.69]:28339 "EHLO smtp-outbound-1.vmware.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751607Ab0KHPlO (ORCPT ); Mon, 8 Nov 2010 10:41:14 -0500 Message-ID: <4CD81A0B.30209@vmware.com> Date: Mon, 08 Nov 2010 16:40:59 +0100 From: Thomas Hellstrom User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10) Gecko/20100624 Mandriva/3.0.5-0.1mdv2009.1 (2009.1) Thunderbird/3.0.5 MIME-Version: 1.0 To: Vasiliy Kulikov CC: "kernel-janitors@vger.kernel.org" , David Airlie , Dave Airlie , Jakob Bornecrantz , Dan Carpenter , Jerome Glisse , "dri-devel@lists.freedesktop.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] gpu: drm: vmwgfx: fix information leak to userland References: <1289054477-18100-1-git-send-email-segooon@gmail.com> In-Reply-To: <1289054477-18100-1-git-send-email-segooon@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/06/2010 03:41 PM, Vasiliy Kulikov wrote: > Structure drm_vmw_fence_rep is copied to userland with field "pad64" > uninitialized. It leads to leaking of contents of kernel stack memory. > > Signed-off-by: Vasiliy Kulikov > --- > Compile tested. > > drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > index 51d9f9f..76954e3 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > @@ -691,6 +691,7 @@ int vmw_execbuf_ioctl(struct drm_device *dev, void *data, > > fence_rep.error = ret; > fence_rep.fence_seq = (uint64_t) sequence; > + fence_rep.pad64 = 0; > > user_fence_rep = (struct drm_vmw_fence_rep __user *) > (unsigned long)arg->fence_rep; > Reviewed-by: Thomas Hellstrom From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Hellstrom Subject: Re: [PATCH] gpu: drm: vmwgfx: fix information leak to userland Date: Mon, 08 Nov 2010 16:40:59 +0100 Message-ID: <4CD81A0B.30209@vmware.com> References: <1289054477-18100-1-git-send-email-segooon@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from smtp-outbound-1.vmware.com (smtp-outbound-1.vmware.com [65.115.85.69]) by gabe.freedesktop.org (Postfix) with ESMTP id B37CC9E806 for ; Mon, 8 Nov 2010 07:41:14 -0800 (PST) In-Reply-To: <1289054477-18100-1-git-send-email-segooon@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org To: Vasiliy Kulikov Cc: Dan Carpenter , "kernel-janitors@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "dri-devel@lists.freedesktop.org" , Jerome Glisse , Dave Airlie List-Id: dri-devel@lists.freedesktop.org On 11/06/2010 03:41 PM, Vasiliy Kulikov wrote: > Structure drm_vmw_fence_rep is copied to userland with field "pad64" > uninitialized. It leads to leaking of contents of kernel stack memory. > > Signed-off-by: Vasiliy Kulikov > --- > Compile tested. > > drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > index 51d9f9f..76954e3 100644 > --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c > @@ -691,6 +691,7 @@ int vmw_execbuf_ioctl(struct drm_device *dev, void *data, > > fence_rep.error = ret; > fence_rep.fence_seq = (uint64_t) sequence; > + fence_rep.pad64 = 0; > > user_fence_rep = (struct drm_vmw_fence_rep __user *) > (unsigned long)arg->fence_rep; > Reviewed-by: Thomas Hellstrom