The GPIO event descriptor was leaking kernel stack to userspace because we don't zero the variable before use. Ooops. Fix this.
Cc: stable@vger.kernel.org Cc: Bartosz Golaszewski brgl@bgdev.pl Cc: Arnd Bergmann arnd@arndb.de Reported-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Linus Walleij linus.walleij@linaro.org --- drivers/gpio/gpiolib.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 37e31ba82ca0..754836e4ca0e 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -744,6 +744,9 @@ static irqreturn_t lineevent_irq_thread(int irq, void *p) struct gpioevent_data ge; int ret, level;
+ /* Do not leak kernel stack to userspace */ + memset(&ge, 0, sizeof(ge)); + ge.timestamp = ktime_get_real_ns(); level = gpiod_get_value_cansleep(le->desc);
2018-01-22 13:21 GMT+01:00 Linus Walleij linus.walleij@linaro.org:
The GPIO event descriptor was leaking kernel stack to userspace because we don't zero the variable before use. Ooops. Fix this.
Cc: stable@vger.kernel.org Cc: Bartosz Golaszewski brgl@bgdev.pl Cc: Arnd Bergmann arnd@arndb.de Reported-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Linus Walleij linus.walleij@linaro.org
drivers/gpio/gpiolib.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 37e31ba82ca0..754836e4ca0e 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -744,6 +744,9 @@ static irqreturn_t lineevent_irq_thread(int irq, void *p) struct gpioevent_data ge; int ret, level;
/* Do not leak kernel stack to userspace */memset(&ge, 0, sizeof(ge));ge.timestamp = ktime_get_real_ns(); level = gpiod_get_value_cansleep(le->desc);-- 2.14.3
Reviewed-by: Bartosz Golaszewski brgl@bgdev.pl
On Mon, Jan 22, 2018 at 1:21 PM, Linus Walleij linus.walleij@linaro.org wrote:
The GPIO event descriptor was leaking kernel stack to userspace because we don't zero the variable before use. Ooops. Fix this.
Cc: stable@vger.kernel.org Cc: Bartosz Golaszewski brgl@bgdev.pl Cc: Arnd Bergmann arnd@arndb.de Reported-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Linus Walleij linus.walleij@linaro.org
drivers/gpio/gpiolib.c | 3 +++ 1 file changed, 3 insertions(+)
Reviewed-by: Arnd Bergmann arnd@arndb.de
linux-stable-mirror@lists.linaro.org
-
Arnd Bergmann -
Bartosz Golaszewski -
Linus Walleij