• Tomi Valkeinen's avatar
    fbdev/omapfb: fix omapfb_memory_read infoleak · 1bafcbf5
    Tomi Valkeinen authored
    OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies
    them to a userspace buffer. The code has two issues:
    
    - The user provided width and height could be large enough to overflow
      the calculations
    - The copy_to_user() can copy uninitialized memory to the userspace,
      which might contain sensitive kernel information.
    
    Fix these by limiting the width & height parameters, and only copying
    the amount of data that we actually received from the LCD.
    Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
    Reported-by: default avatarJann Horn <jannh@google.com>
    Cc: stable@vger.kernel.org
    Cc: security@kernel.org
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Jann Horn <jannh@google.com>
    Cc: Tony Lindgren <tony@atomide.com>
    Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    1bafcbf5
omapfb-ioctl.c 18.9 KB