atyfb_base.c: atyfb_ioctl() stack infoleak

sohu0106 Thu, 03 Aug 2017 07:03:11 -0700


driver/video/fbdev/aty/atyfb_base.c
In atyfb_ioctl() structure atyclk is copied to userland with padding bytes 
after "vclk_post_div" field unitialized.  It leads to leaking of contents of 
kernel stack memory.



3  drivers/video/fbdev/aty/atyfb_base.c
 @@ -1857,6 +1857,9 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, 
u_long arg)
                if (M64_HAS(INTEGRATED)) {
                        struct atyclk clk;
                        union aty_pll *pll = &par->pll;
 +                      
 +                      memset( &clk, 0, sizeof(struct atyclk) );
 +                      
                        u32 dsp_config = pll->ct.dsp_config;
                        u32 dsp_on_off = pll->ct.dsp_on_off;
                        clk.ref_clk_per = par->ref_clk_per;

driver/video/fbdev/aty/atyfb_base.c: atyfb_ioctl() stack infoleak

Reply via email to