From patchwork Wed Dec  2 14:59:32 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 551395
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 03BF5140319;
	Thu,  3 Dec 2015 01:59:55 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1a48sq-0000uJ-SC; Wed, 02 Dec 2015 14:59:52 +0000
Received: from mail-wm0-f54.google.com ([74.125.82.54])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <apw@canonical.com>) id 1a48sh-0000rY-ER
	for kernel-team@lists.ubuntu.com; Wed, 02 Dec 2015 14:59:43 +0000
Received: by wmec201 with SMTP id c201so61692186wme.1
	for <kernel-team@lists.ubuntu.com>;
	Wed, 02 Dec 2015 06:59:43 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-type:content-transfer-encoding;
	bh=jEtZRbRZduOyo6Ruf0yLPSEP7VGlxLUthTKs1EM3g98=;
	b=g2EZXK5FpEsOesRPENBbrptt3cAGIfEITelGxjfGqe4e+WE8xVryidmlz+IXfqEdFm
	mGIBTML8kKZiUt5m7mNZiLiHvswy+lvx+abkexxF28sRADnHAqCdBLX8f6Cn9FH0CDcY
	XRsZSTmXtZdEexZoUX6apoAqvWJrUsdCxjx9vbIjY7D/aRBqgTAx7I8l7/tMsw0rbask
	RhQmIxA/jdzwp7rt3JCJcxg9bZABt/iXKIRU89h6vPQ84S4jXRMpC+2pzHRp3uPh6DS3
	mgKtc7iDYEQnT9cIeNt4BLzpWDafh4AOGNTzh6eZueLQM9/StpS0zd3JUgz9HIlVPBX6
	39Ag==
X-Gm-Message-State: 
 ALoCoQlDwCv3r6uYUjzimeN1BjTwT2uZA+BHvqXJFyvZbz6Lt6nSD+Z8FPqGOoWTv2fCX54J/sKW
X-Received: by 10.28.19.20 with SMTP id 20mr46511825wmt.49.1449068383316;
	Wed, 02 Dec 2015 06:59:43 -0800 (PST)
Received: from localhost ([2001:470:6973:2:55ab:1437:1293:1d55])
	by smtp.gmail.com with ESMTPSA id
	a63sm31264080wmc.5.2015.12.02.06.59.42
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 02 Dec 2015 06:59:42 -0800 (PST)
From: Andy Whitcroft <apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [wily/master-next 2/7] [media] media/vivid-osd: fix info leak in
	ioctl
Date: Wed,  2 Dec 2015 14:59:32 +0000
Message-Id: <1449068377-21867-3-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 2.6.2
In-Reply-To: <1449068377-21867-1-git-send-email-apw@canonical.com>
References: <1449068377-21867-1-git-send-email-apw@canonical.com>
MIME-Version: 1.0
Cc: Andy Whitcroft <apw@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Salva Peiró <speirofr@gmail.com>

The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
struct fb_vblank after the ->hcount member. Add an explicit
memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Salva Peiró <speirofr@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

(cherry picked from commit eda98796aff0d9bf41094b06811f5def3b4c333c)
CVE-2015-7884
BugLink: http://bugs.launchpad.net/bugs/1509564
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/media/platform/vivid/vivid-osd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
index 084d346..e15eef6 100644
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
 	case FBIOGET_VBLANK: {
 		struct fb_vblank vblank;
 
+		memset(&vblank, 0, sizeof(vblank));
 		vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
 			FB_VBLANK_HAVE_VSYNC;
 		vblank.count = 0;