gpio: Fix kernel stack leak to userspace

Message ID 20180122122146.25689-1-linus.walleij@linaro.org
State New
Headers show
Series
  • gpio: Fix kernel stack leak to userspace
Related show

Commit Message

Linus Walleij Jan. 22, 2018, 12:21 p.m.
The GPIO event descriptor was leaking kernel stack to
userspace because we don't zero the variable before
use. Ooops. Fix this.

Cc: stable@vger.kernel.org
Cc: Bartosz Golaszewski <brgl@bgdev.pl>
Cc: Arnd Bergmann <arnd@arndb.de>
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
 drivers/gpio/gpiolib.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Bartosz Golaszewski Jan. 22, 2018, 12:23 p.m. | #1
2018-01-22 13:21 GMT+01:00 Linus Walleij <linus.walleij@linaro.org>:
> The GPIO event descriptor was leaking kernel stack to
> userspace because we don't zero the variable before
> use. Ooops. Fix this.
>
> Cc: stable@vger.kernel.org
> Cc: Bartosz Golaszewski <brgl@bgdev.pl>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Reported-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
> ---
>  drivers/gpio/gpiolib.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
> index 37e31ba82ca0..754836e4ca0e 100644
> --- a/drivers/gpio/gpiolib.c
> +++ b/drivers/gpio/gpiolib.c
> @@ -744,6 +744,9 @@ static irqreturn_t lineevent_irq_thread(int irq, void *p)
>         struct gpioevent_data ge;
>         int ret, level;
>
> +       /* Do not leak kernel stack to userspace */
> +       memset(&ge, 0, sizeof(ge));
> +
>         ge.timestamp = ktime_get_real_ns();
>         level = gpiod_get_value_cansleep(le->desc);
>
> --
> 2.14.3
>

Reviewed-by: Bartosz Golaszewski <brgl@bgdev.pl>
--
To unsubscribe from this list: send the line "unsubscribe linux-gpio" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Arnd Bergmann Jan. 22, 2018, 1:48 p.m. | #2
On Mon, Jan 22, 2018 at 1:21 PM, Linus Walleij <linus.walleij@linaro.org> wrote:
> The GPIO event descriptor was leaking kernel stack to
> userspace because we don't zero the variable before
> use. Ooops. Fix this.
>
> Cc: stable@vger.kernel.org
> Cc: Bartosz Golaszewski <brgl@bgdev.pl>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Reported-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
> ---
>  drivers/gpio/gpiolib.c | 3 +++
>  1 file changed, 3 insertions(+)

Reviewed-by: Arnd Bergmann <arnd@arndb.de>
--
To unsubscribe from this list: send the line "unsubscribe linux-gpio" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 37e31ba82ca0..754836e4ca0e 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -744,6 +744,9 @@  static irqreturn_t lineevent_irq_thread(int irq, void *p)
 	struct gpioevent_data ge;
 	int ret, level;
 
+	/* Do not leak kernel stack to userspace */
+	memset(&ge, 0, sizeof(ge));
+
 	ge.timestamp = ktime_get_real_ns();
 	level = gpiod_get_value_cansleep(le->desc);