• Vegard Nossum's avatar
    drm: fix leak of uninitialized data to userspace · 1147c9cd
    Vegard Nossum authored
    ...so drm_getunique() is trying to copy some uninitialized data to
    userspace. The ECX register contains the number of words that are
    left to copy -- so there are 5 * 4 = 20 bytes left. The offset of the
    first uninitialized byte (counting from the start of the string) is
    also 20 (i.e. 0xf65d2294&((1 << 5)-1) == 20). So somebody tried to
    copy 40 bytes when the string was only 19 long.
    
    In drm_set_busid() we have this code:
    
            dev->unique_len = 40;
            dev->unique = drm_alloc(dev->unique_len + 1, DRM_MEM_DRIVER);
          ...
            len = snprintf(dev->unique, dev->unique_len, pci:%04x:%02x:%02x.%d",
    
    ...so it seems that dev->unique is never updated to reflect the
    actual length of the string. The remaining bytes (20 in this case)
    are random uninitialized bytes that are copied into userspace.
    
    This patch fixes the problem by setting dev->unique_len after the
    snprintf().
    
    airlied- I've had to fix this up to store the alloced size so
    we have it for drm_free later.
    Reported-by: default avatarSitsofe Wheeler <sitsofe@yahoo.com>
    Signed-off-by: default avatarVegard Nossum <vegardno@thuin.ifi.uio.no>
    Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
    1147c9cd
drm_ioctl.c 9.21 KB