[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14156

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-14156

Kleber Souza
Only Trusty and Zesty are affected.

For Zesty it's a clean cherry-pick, for Trusty backport is needed to change
the file path which has been moved.

Vladis Dronov (1):
  video: fbdev: aty: do not leak uninitialized padding in clk to
    userspace

 drivers/video/aty/atyfb_base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][PATCH 1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Kleber Souza
From: Vladis Dronov <[hidden email]>

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <[hidden email]>
Signed-off-by: Vladis Dronov <[hidden email]>
Signed-off-by: Bartlomiej Zolnierkiewicz <[hidden email]>

CVE-2017-14156
(backported from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
[klebers: adapted file path, which has been moved by f7018c213502 upstream]
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 drivers/video/aty/atyfb_base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/aty/atyfb_base.c b/drivers/video/aty/atyfb_base.c
index 28fafbf864a5..fc17085ae1f7 100644
--- a/drivers/video/aty/atyfb_base.c
+++ b/drivers/video/aty/atyfb_base.c
@@ -1852,7 +1852,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
 #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
  case ATYIO_CLKR:
  if (M64_HAS(INTEGRATED)) {
- struct atyclk clk;
+ struct atyclk clk = { 0 };
  union aty_pll *pll = &par->pll;
  u32 dsp_config = pll->ct.dsp_config;
  u32 dsp_on_off = pll->ct.dsp_on_off;
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Zesty][PATCH 1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Kleber Souza
In reply to this post by Kleber Souza
From: Vladis Dronov <[hidden email]>

'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
field unitialized, leaking data from the stack. Fix this ensuring all of
'clk' is initialized to zero.

References: https://github.com/torvalds/linux/pull/441
Reported-by: sohu0106 <[hidden email]>
Signed-off-by: Vladis Dronov <[hidden email]>
Signed-off-by: Bartlomiej Zolnierkiewicz <[hidden email]>

CVE-2017-14156
(cherry picked from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 drivers/video/fbdev/aty/atyfb_base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
index 11026e726b68..81367cf0af77 100644
--- a/drivers/video/fbdev/aty/atyfb_base.c
+++ b/drivers/video/fbdev/aty/atyfb_base.c
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
 #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
  case ATYIO_CLKR:
  if (M64_HAS(INTEGRATED)) {
- struct atyclk clk;
+ struct atyclk clk = { 0 };
  union aty_pll *pll = &par->pll;
  u32 dsp_config = pll->ct.dsp_config;
  u32 dsp_on_off = pll->ct.dsp_on_off;
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][PATCH 1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Colin Ian King-2
In reply to this post by Kleber Souza
On 07/12/17 13:50, Kleber Sacilotto de Souza wrote:

> From: Vladis Dronov <[hidden email]>
>
> 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
> field unitialized, leaking data from the stack. Fix this ensuring all of
> 'clk' is initialized to zero.
>
> References: https://github.com/torvalds/linux/pull/441
> Reported-by: sohu0106 <[hidden email]>
> Signed-off-by: Vladis Dronov <[hidden email]>
> Signed-off-by: Bartlomiej Zolnierkiewicz <[hidden email]>
>
> CVE-2017-14156
> (backported from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
> [klebers: adapted file path, which has been moved by f7018c213502 upstream]
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  drivers/video/aty/atyfb_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/aty/atyfb_base.c b/drivers/video/aty/atyfb_base.c
> index 28fafbf864a5..fc17085ae1f7 100644
> --- a/drivers/video/aty/atyfb_base.c
> +++ b/drivers/video/aty/atyfb_base.c
> @@ -1852,7 +1852,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
>  #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
>   case ATYIO_CLKR:
>   if (M64_HAS(INTEGRATED)) {
> - struct atyclk clk;
> + struct atyclk clk = { 0 };
>   union aty_pll *pll = &par->pll;
>   u32 dsp_config = pll->ct.dsp_config;
>   u32 dsp_on_off = pll->ct.dsp_on_off;
>

Looks OK to me.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Zesty][PATCH 1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Colin Ian King-2
In reply to this post by Kleber Souza
On 07/12/17 13:50, Kleber Sacilotto de Souza wrote:

> From: Vladis Dronov <[hidden email]>
>
> 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
> field unitialized, leaking data from the stack. Fix this ensuring all of
> 'clk' is initialized to zero.
>
> References: https://github.com/torvalds/linux/pull/441
> Reported-by: sohu0106 <[hidden email]>
> Signed-off-by: Vladis Dronov <[hidden email]>
> Signed-off-by: Bartlomiej Zolnierkiewicz <[hidden email]>
>
> CVE-2017-14156
> (cherry picked from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  drivers/video/fbdev/aty/atyfb_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 11026e726b68..81367cf0af77 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
>  #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
>   case ATYIO_CLKR:
>   if (M64_HAS(INTEGRATED)) {
> - struct atyclk clk;
> + struct atyclk clk = { 0 };
>   union aty_pll *pll = &par->pll;
>   u32 dsp_config = pll->ct.dsp_config;
>   u32 dsp_on_off = pll->ct.dsp_on_off;
>

Clean cherry pick, looks OK to me.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][PATCH 1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Stefan Bader-2
In reply to this post by Kleber Souza
On 07.12.2017 13:50, Kleber Sacilotto de Souza wrote:

> From: Vladis Dronov <[hidden email]>
>
> 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
> field unitialized, leaking data from the stack. Fix this ensuring all of
> 'clk' is initialized to zero.
>
> References: https://github.com/torvalds/linux/pull/441
> Reported-by: sohu0106 <[hidden email]>
> Signed-off-by: Vladis Dronov <[hidden email]>
> Signed-off-by: Bartlomiej Zolnierkiewicz <[hidden email]>
>
> CVE-2017-14156
> (backported from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
> [klebers: adapted file path, which has been moved by f7018c213502 upstream]
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  drivers/video/aty/atyfb_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/aty/atyfb_base.c b/drivers/video/aty/atyfb_base.c
> index 28fafbf864a5..fc17085ae1f7 100644
> --- a/drivers/video/aty/atyfb_base.c
> +++ b/drivers/video/aty/atyfb_base.c
> @@ -1852,7 +1852,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
>  #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
>   case ATYIO_CLKR:
>   if (M64_HAS(INTEGRATED)) {
> - struct atyclk clk;
> + struct atyclk clk = { 0 };
>   union aty_pll *pll = &par->pll;
>   u32 dsp_config = pll->ct.dsp_config;
>   u32 dsp_on_off = pll->ct.dsp_on_off;
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Zesty][PATCH 1/1] video: fbdev: aty: do not leak uninitialized padding in clk to userspace

Stefan Bader-2
In reply to this post by Kleber Souza
On 07.12.2017 13:50, Kleber Sacilotto de Souza wrote:

> From: Vladis Dronov <[hidden email]>
>
> 'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
> field unitialized, leaking data from the stack. Fix this ensuring all of
> 'clk' is initialized to zero.
>
> References: https://github.com/torvalds/linux/pull/441
> Reported-by: sohu0106 <[hidden email]>
> Signed-off-by: Vladis Dronov <[hidden email]>
> Signed-off-by: Bartlomiej Zolnierkiewicz <[hidden email]>
>
> CVE-2017-14156
> (cherry picked from commit 8e75f7a7a00461ef6d91797a60b606367f6e344d)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  drivers/video/fbdev/aty/atyfb_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
> index 11026e726b68..81367cf0af77 100644
> --- a/drivers/video/fbdev/aty/atyfb_base.c
> +++ b/drivers/video/fbdev/aty/atyfb_base.c
> @@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
>  #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
>   case ATYIO_CLKR:
>   if (M64_HAS(INTEGRATED)) {
> - struct atyclk clk;
> + struct atyclk clk = { 0 };
>   union aty_pll *pll = &par->pll;
>   u32 dsp_config = pll->ct.dsp_config;
>   u32 dsp_on_off = pll->ct.dsp_on_off;
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU, Trusty, 1/1] video: fbdev: aty: do not leak uninitialized padding

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
Applied to trusty master-next branch.

Thanks.
Cascardo.

Applied-to: trusty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU, Zesty, 1/1] video: fbdev: aty: do not leak uninitialized padding

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
Applied to zesty master-next branch.

Thanks.
Cascardo.

Applied-to: zesty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU, Zesty, 1/1] KEYS: fix dereferencing NULL payload with nonzero

Thadeu Lima de Souza Cascardo-3
Applied to zesty master-next branch.

Thanks.
Cascardo.

Applied-to: zesty/master-next

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team