From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932743Ab0HXW5o (ORCPT ); Tue, 24 Aug 2010 18:57:44 -0400 Received: from kroah.org ([198.145.64.141]:52322 "EHLO coco.kroah.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932497Ab0HXWyZ (ORCPT ); Tue, 24 Aug 2010 18:54:25 -0400 X-Mailbox-Line: From gregkh@clark.site Tue Aug 24 15:25:26 2010 Message-Id: <20100824222526.504596500@clark.site> User-Agent: quilt/0.48-11.2 Date: Tue, 24 Aug 2010 15:24:59 -0700 From: Greg KH To: linux-kernel@vger.kernel.org, stable@kernel.org Cc: stable-review@kernel.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Dave Airlie Subject: [47/59] drm: stop information leak of old kernel stack. In-Reply-To: <20100824224625.GA5449@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 2.6.32-stable review patch. If anyone has any objections, please let us know. ------------------ From: Dave Airlie commit b9f0aee83335db1f3915f4e42a5e21b351740afd upstream. non-critical issue, CVE-2010-2803 Userspace controls the amount of memory to be allocate, so it can get the ioctl to allocate more memory than the kernel uses, and get access to kernel stack. This can only be done for processes authenticated to the X server for DRI access, and if the user has DRI access. Fix is to just memset the data to 0 if the user doesn't copy into it in the first place. Reported-by: Kees Cook Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/drm_drv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -470,7 +470,9 @@ int drm_ioctl(struct inode *inode, struc retcode = -EFAULT; goto err_i1; } - } + } else + memset(kdata, 0, _IOC_SIZE(cmd)); + retcode = func(dev, kdata, file_priv); if (cmd & IOC_OUT) {