Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933316AbbBBN51 (ORCPT ); Mon, 2 Feb 2015 08:57:27 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:20114 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932871AbbBBN5Z (ORCPT ); Mon, 2 Feb 2015 08:57:25 -0500 From: Quentin Casasnovas To: David Airlie Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, Quentin Casasnovas Subject: [PATCH] i915: stack address leak when failing to read registers. Date: Mon, 2 Feb 2015 14:58:36 +0100 Message-Id: <1422885516-533-1-git-send-email-quentin.casasnovas@oracle.com> X-Mailer: git-send-email 2.0.5 X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3864 Lines: 104 It is possible for the *_read*() functions to fail, in which case it'll leave its third argument untouched. Most of the code do not check the return value of *_read*() functions, and will happily use garbage from the stack to test various things. For example, ch7xxx_dump_regs() will leak 1 byte from the stack in case of failure, ivch_dump_regs() 2 bytes, etc. Instead of fixing every caller to check the return value, just clear the output variable so this patch can easily go to -stable. A proper fix would probably to check the return value everywhere though, since it does not make much sense to carry on talking to the ship after some error. This issue was found by code review while preparing Ksplice updates. Signed-off-by: Quentin Casasnovas --- drivers/gpu/drm/i915/dvo_ch7017.c | 1 + drivers/gpu/drm/i915/dvo_ch7xxx.c | 1 + drivers/gpu/drm/i915/dvo_ivch.c | 1 + drivers/gpu/drm/i915/dvo_ns2501.c | 2 +- drivers/gpu/drm/i915/dvo_sil164.c | 1 + drivers/gpu/drm/i915/dvo_tfp410.c | 1 + 6 files changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/dvo_ch7017.c b/drivers/gpu/drm/i915/dvo_ch7017.c index 86b27d1..826ac6c 100644 --- a/drivers/gpu/drm/i915/dvo_ch7017.c +++ b/drivers/gpu/drm/i915/dvo_ch7017.c @@ -181,6 +181,7 @@ static bool ch7017_read(struct intel_dvo_device *dvo, u8 addr, u8 *val) .buf = val, } }; + *val = 0; return i2c_transfer(dvo->i2c_bus, msgs, 2) == 2; } diff --git a/drivers/gpu/drm/i915/dvo_ch7xxx.c b/drivers/gpu/drm/i915/dvo_ch7xxx.c index 80449f4..4ebbeef 100644 --- a/drivers/gpu/drm/i915/dvo_ch7xxx.c +++ b/drivers/gpu/drm/i915/dvo_ch7xxx.c @@ -166,6 +166,7 @@ static bool ch7xxx_readb(struct intel_dvo_device *dvo, int addr, uint8_t *ch) DRM_DEBUG_KMS("Unable to read register 0x%02x from %s:%02x.\n", addr, adapter->name, dvo->slave_addr); } + *ch = 0; return false; } diff --git a/drivers/gpu/drm/i915/dvo_ivch.c b/drivers/gpu/drm/i915/dvo_ivch.c index 0f2587f..43604f0a 100644 --- a/drivers/gpu/drm/i915/dvo_ivch.c +++ b/drivers/gpu/drm/i915/dvo_ivch.c @@ -202,6 +202,7 @@ static bool ivch_read(struct intel_dvo_device *dvo, int addr, uint16_t *data) "%s:%02x.\n", addr, adapter->name, dvo->slave_addr); } + *data = 0; return false; } diff --git a/drivers/gpu/drm/i915/dvo_ns2501.c b/drivers/gpu/drm/i915/dvo_ns2501.c index 44163043..b314f64 100644 --- a/drivers/gpu/drm/i915/dvo_ns2501.c +++ b/drivers/gpu/drm/i915/dvo_ns2501.c @@ -409,7 +409,7 @@ static bool ns2501_readb(struct intel_dvo_device *dvo, int addr, uint8_t * ch) ("Unable to read register 0x%02x from %s:0x%02x.\n", addr, adapter->name, dvo->slave_addr); } - + *ch = 0; return false; } diff --git a/drivers/gpu/drm/i915/dvo_sil164.c b/drivers/gpu/drm/i915/dvo_sil164.c index fa01149..7d5a440 100644 --- a/drivers/gpu/drm/i915/dvo_sil164.c +++ b/drivers/gpu/drm/i915/dvo_sil164.c @@ -99,6 +99,7 @@ static bool sil164_readb(struct intel_dvo_device *dvo, int addr, uint8_t *ch) DRM_DEBUG_KMS("Unable to read register 0x%02x from %s:%02x.\n", addr, adapter->name, dvo->slave_addr); } + *ch = 0; return false; } diff --git a/drivers/gpu/drm/i915/dvo_tfp410.c b/drivers/gpu/drm/i915/dvo_tfp410.c index 7853719..2b66881 100644 --- a/drivers/gpu/drm/i915/dvo_tfp410.c +++ b/drivers/gpu/drm/i915/dvo_tfp410.c @@ -124,6 +124,7 @@ static bool tfp410_readb(struct intel_dvo_device *dvo, int addr, uint8_t *ch) DRM_DEBUG_KMS("Unable to read register 0x%02x from %s:%02x.\n", addr, adapter->name, dvo->slave_addr); } + *ch = 0; return false; } -- 2.0.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/