From de066e116306baf3a6a62691ac63cfc0b1dabddb Mon Sep 17 00:00:00 2001

From: Daniel Vetter <daniel.vetter@ffwll.ch>

Date: Mon, 22 Feb 2021 11:06:43 +0100

Subject: drm/compat: Clear bounce structures

Git-commit: de066e116306baf3a6a62691ac63cfc0b1dabddb

Patch-mainline: v5.12-rc3

References: bsc#1129770

Some of them have gaps, or fields we don't clear. Native ioctl code

does full copies plus zero-extends on size mismatch, so nothing can

leak. But compat is more hand-rolled so need to be careful.

None of these matter for performance, so just memset.

Also I didn't fix up the CONFIG_DRM_LEGACY or CONFIG_DRM_AGP ioctl, those

are security holes anyway.

Acked-by: Maxime Ripard <mripard@kernel.org>

Reported-by: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com # vblank ioctl

Cc: syzbot+620cf21140fc7e772a5d@syzkaller.appspotmail.com

Cc: stable@vger.kernel.org

Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>

Link: https://patchwork.freedesktop.org/patch/msgid/20210222100643.400935-1-daniel.vetter@ffwll.ch

(cherry picked from commit e926c474ebee404441c838d18224cd6f246a71b7)

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>

Acked-by: Thomas Zimmermann <tzimmermann@suse.de>

---

 drivers/gpu/drm/drm_ioc32.c |   11 +++++++++++

 1 file changed, 11 insertions(+)

--- a/drivers/gpu/drm/drm_ioc32.c

+++ b/drivers/gpu/drm/drm_ioc32.c

@@ -96,6 +96,8 @@ static int compat_drm_version(struct fil

 	if (copy_from_user(&v32, (void __user *)arg, sizeof(v32)))

 		return -EFAULT;

+	memset(&v, 0, sizeof(v));

+

 	v = (struct drm_version) {

 		.name_len = v32.name_len,

 		.name = compat_ptr(v32.name),

@@ -134,6 +136,9 @@ static int compat_drm_getunique(struct f

 	if (copy_from_user(&uq32, (void __user *)arg, sizeof(uq32)))

 		return -EFAULT;

+

+	memset(&uq, 0, sizeof(uq));

+

 	uq = (struct drm_unique){

 		.unique_len = uq32.unique_len,

 		.unique = compat_ptr(uq32.unique),

@@ -260,6 +265,8 @@ static int compat_drm_getclient(struct f

 	if (copy_from_user(&c32, argp, sizeof(c32)))

 		return -EFAULT;

+	memset(&client, 0, sizeof(client));

+

 	client.idx = c32.idx;

 	err = drm_ioctl_kernel(file, drm_getclient, &client, DRM_UNLOCKED);

@@ -842,6 +849,8 @@ static int compat_drm_wait_vblank(struct

 	if (copy_from_user(&req32, argp, sizeof(req32)))

 		return -EFAULT;

+	memset(&req, 0, sizeof(req));

+

 	req.request.type = req32.request.type;

 	req.request.sequence = req32.request.sequence;

 	req.request.signal = req32.request.signal;

@@ -879,6 +888,8 @@ static int compat_drm_mode_addfb2(struct

 	struct drm_mode_fb_cmd2 req64;

 	int err;

+	memset(&req64, 0, sizeof(req64));

+

 	if (copy_from_user(&req64, argp,

 			   offsetof(drm_mode_fb_cmd232_t, modifier)))

 		return -EFAULT;