Stable Archive on lore.kernel.org
 help / color / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Biggers <ebiggers@google.com>,
	syzbot+8da9175e28eadcb203ce@syzkaller.appspotmail.com,
	Jiri Slaby <jslaby@suse.cz>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.4 18/19] tty: fix compat TIOCGSERIAL leaking uninitialized memory
Date: Thu, 26 Mar 2020 19:24:30 -0400
Message-ID: <20200326232431.7816-18-sashal@kernel.org> (raw)
In-Reply-To: <20200326232431.7816-1-sashal@kernel.org>

From: Eric Biggers <ebiggers@google.com>

[ Upstream commit 17329563a97df3ba474eca5037c1336e46e14ff8 ]

Commit 77654350306a ("take compat TIOC[SG]SERIAL treatment into
tty_compat_ioctl()") changed the compat version of TIOCGSERIAL to start
copying a whole 'serial_struct32' to userspace rather than individual
fields, but failed to initialize all padding and fields -- namely the
hole after the 'iomem_reg_shift' field, and the 'reserved' field.

Fix this by initializing the struct to zero.

[v2: use sizeof, and convert the adjacent line for consistency.]

Reported-by: syzbot+8da9175e28eadcb203ce@syzkaller.appspotmail.com
Fixes: 77654350306a ("take compat TIOC[SG]SERIAL treatment into tty_compat_ioctl()")
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20200224182044.234553-2-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/tty_io.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 802c1210558f2..d4c7f663efe99 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2731,7 +2731,9 @@ static int compat_tty_tiocgserial(struct tty_struct *tty,
 	struct serial_struct32 v32;
 	struct serial_struct v;
 	int err;
-	memset(&v, 0, sizeof(struct serial_struct));
+
+	memset(&v, 0, sizeof(v));
+	memset(&v32, 0, sizeof(v32));
 
 	if (!tty->ops->set_serial)
 		return -ENOTTY;
-- 
2.20.1


  parent reply index

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-26 23:24 [PATCH AUTOSEL 5.4 01/19] drm/bridge: dw-hdmi: fix AVI frame colorimetry Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 02/19] nvme-rdma: Avoid double freeing of async event data Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 03/19] ALSA: hda/realtek: Fix pop noise on ALC225 Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 04/19] kconfig: introduce m32-flag and m64-flag Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 05/19] drm/amd/display: Add link_rate quirk for Apple 15" MBP 2017 Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 06/19] drm/bochs: downgrade pci_request_region failure from error to warning Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 07/19] initramfs: restore default compression behavior Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 08/19] staging: greybus: loopback_test: fix potential path truncation Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 09/19] staging: greybus: loopback_test: fix potential path truncations Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 10/19] drm/amdgpu: fix typo for vcn1 idle check Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 11/19] tools/power turbostat: Fix gcc build warnings Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 12/19] tools/power turbostat: Fix missing SYS_LPI counter on some Chromebooks Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 13/19] tools/power turbostat: Fix 32-bit capabilities warning Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 14/19] nvmet-tcp: set MSG_MORE only if we actually have more to send Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 15/19] ALSA: pcm: oss: Avoid plugin buffer overflow Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 16/19] ALSA: line6: Fix endless MIDI read loop Sasha Levin
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 17/19] ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks Sasha Levin
2020-03-26 23:24 ` Sasha Levin [this message]
2020-03-26 23:24 ` [PATCH AUTOSEL 5.4 19/19] drm/lease: fix WARNING in idr_destroy Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200326232431.7816-18-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=ebiggers@google.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jslaby@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+8da9175e28eadcb203ce@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git