| Message ID | 20180122122146.25689-1-linus.walleij@linaro.org |
|---|---|
| State | Accepted |
| Commit | 24bd3efc9d1efb5f756a7c6f807a36ddb6adc671 |
| Headers | show |
| Series | gpio: Fix kernel stack leak to userspace | expand |
2018-01-22 13:21 GMT+01:00 Linus Walleij <linus.walleij@linaro.org>: > The GPIO event descriptor was leaking kernel stack to > userspace because we don't zero the variable before > use. Ooops. Fix this. > > Cc: stable@vger.kernel.org > Cc: Bartosz Golaszewski <brgl@bgdev.pl> > Cc: Arnd Bergmann <arnd@arndb.de> > Reported-by: Arnd Bergmann <arnd@arndb.de> > Signed-off-by: Linus Walleij <linus.walleij@linaro.org> > --- > drivers/gpio/gpiolib.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c > index 37e31ba82ca0..754836e4ca0e 100644 > --- a/drivers/gpio/gpiolib.c > +++ b/drivers/gpio/gpiolib.c > @@ -744,6 +744,9 @@ static irqreturn_t lineevent_irq_thread(int irq, void *p) > struct gpioevent_data ge; > int ret, level; > > + /* Do not leak kernel stack to userspace */ > + memset(&ge, 0, sizeof(ge)); > + > ge.timestamp = ktime_get_real_ns(); > level = gpiod_get_value_cansleep(le->desc); > > -- > 2.14.3 > Reviewed-by: Bartosz Golaszewski <brgl@bgdev.pl> -- To unsubscribe from this list: send the line "unsubscribe linux-gpio" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jan 22, 2018 at 1:21 PM, Linus Walleij <linus.walleij@linaro.org> wrote: > The GPIO event descriptor was leaking kernel stack to > userspace because we don't zero the variable before > use. Ooops. Fix this. > > Cc: stable@vger.kernel.org > Cc: Bartosz Golaszewski <brgl@bgdev.pl> > Cc: Arnd Bergmann <arnd@arndb.de> > Reported-by: Arnd Bergmann <arnd@arndb.de> > Signed-off-by: Linus Walleij <linus.walleij@linaro.org> > --- > drivers/gpio/gpiolib.c | 3 +++ > 1 file changed, 3 insertions(+) Reviewed-by: Arnd Bergmann <arnd@arndb.de> -- To unsubscribe from this list: send the line "unsubscribe linux-gpio" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 37e31ba82ca0..754836e4ca0e 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -744,6 +744,9 @@ static irqreturn_t lineevent_irq_thread(int irq, void *p) struct gpioevent_data ge; int ret, level; + /* Do not leak kernel stack to userspace */ + memset(&ge, 0, sizeof(ge)); + ge.timestamp = ktime_get_real_ns(); level = gpiod_get_value_cansleep(le->desc);
The GPIO event descriptor was leaking kernel stack to userspace because we don't zero the variable before use. Ooops. Fix this. Cc: stable@vger.kernel.org Cc: Bartosz Golaszewski <brgl@bgdev.pl> Cc: Arnd Bergmann <arnd@arndb.de> Reported-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> --- drivers/gpio/gpiolib.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.14.3 -- To unsubscribe from this list: send the line "unsubscribe linux-gpio" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html