[media] media/vivid-osd: fix info leak in ioctl

commit eda98796 upstream. The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró <speirofr@gmail.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Reference: CVE-2015-7884 Signed-off-by: Kamal Mostafa <kamal@canonical.com>

[media] media/vivid-osd: fix info leak in ioctl
commit eda98796 upstream. The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró <speirofr@gmail.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Reference: CVE-2015-7884 Signed-off-by: Kamal Mostafa <kamal@canonical.com>
1f7cfc48 · Salva Peiró · Kamal Mostafa · 875f1a0d · 1f7cfc48
Commit 1f7cfc48 authored Oct 07, 2015 by Salva Peiró Committed by Kamal Mostafa Nov 12, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

drivers/media/platform/vivid/vivid-osd.c drivers/media/platform/vivid/vivid-osd.c +1 -0

No files found.
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
 	case FBIOGET_VBLANK: {
 		struct fb_vblank vblank;

+		memset(&vblank, 0, sizeof(vblank));
 		vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
 			FB_VBLANK_HAVE_VSYNC;
 		vblank.count = 0;