From patchwork Tue Oct 21 11:01:33 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
X-Patchwork-Id: 5124531
Return-Path: <ltsi-dev-bounces@lists.linuxfoundation.org>
X-Original-To: patchwork-ltsi-dev@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 062D9C11AC
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Tue, 21 Oct 2014 12:21:08 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 489D620109
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Tue, 21 Oct 2014 12:21:07 +0000 (UTC)
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 2911D200E3
	for <patchwork-ltsi-dev@patchwork.kernel.org>;
	Tue, 21 Oct 2014 12:21:06 +0000 (UTC)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 179F916CF;
	Tue, 21 Oct 2014 11:17:55 +0000 (UTC)
X-Original-To: ltsi-dev@lists.linuxfoundation.org
Delivered-To: ltsi-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 89306168D
	for <ltsi-dev@lists.linuxfoundation.org>;
	Tue, 21 Oct 2014 11:17:52 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id 045EA1FB50
	for <ltsi-dev@lists.linuxfoundation.org>;
	Tue, 21 Oct 2014 11:17:51 +0000 (UTC)
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
	by fmsmga102.fm.intel.com with ESMTP; 21 Oct 2014 04:17:51 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.04,761,1406617200"; d="scan'208";a="617803135"
Received: from ubuntu-desktop.png.intel.com ([10.221.122.25])
	by fmsmga002.fm.intel.com with ESMTP; 21 Oct 2014 04:17:50 -0700
From: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
To: ltsi-dev@lists.linuxfoundation.org
Date: Tue, 21 Oct 2014 19:01:33 +0800
Message-Id: <1413889294-31328-1094-git-send-email-dheerajx.s.jamwal@intel.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: <1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com>
References: <dheerajx.s.jamwal@intel.com>
	<1413889294-31328-1-git-send-email-dheerajx.s.jamwal@intel.com>
X-Spam-Status: No, score=-5.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
Subject: [LTSI-dev] [PATCH 1093/1094] drm: fix NULL pointer access by wrong
	ioctl
X-BeenThere: ltsi-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "A list to discuss patches, development,
	and other things related to the LTSI project"
	<ltsi-dev.lists.linuxfoundation.org>
List-Unsubscribe: 
 <https://lists.linuxfoundation.org/mailman/options/ltsi-dev>,
	<mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/ltsi-dev/>
List-Post: <mailto:ltsi-dev@lists.linuxfoundation.org>
List-Help: <mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/ltsi-dev>,
	<mailto:ltsi-dev-request@lists.linuxfoundation.org?subject=subscribe>
MIME-Version: 1.0
Sender: ltsi-dev-bounces@lists.linuxfoundation.org
Errors-To: ltsi-dev-bounces@lists.linuxfoundation.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Zhaowei Yuan <zhaowei.yuan@samsung.com>

If user uses wrong ioctl command with _IOC_NONE and argument size
greater than 0, it can cause NULL pointer access from memset of line
463. If _IOC_NONE, don't memset to 0 for kdata.

Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 1539fb9bd405ee32282ea0a38404f9e008ac5b7a)

Signed-off-by: Dheeraj Jamwal <dheerajx.s.jamwal@intel.com>
---
 drivers/gpu/drm/drm_drv.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 drivers/gpu/drm/drm_drv.c

diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
old mode 100644
new mode 100755
index 03711d0..8218078
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -419,8 +419,9 @@ long drm_ioctl(struct file *filp,
 			retcode = -EFAULT;
 			goto err_i1;
 		}
-	} else
+	} else if (cmd & IOC_OUT) {
 		memset(kdata, 0, usize);
+	}
 
 	if (ioctl->flags & DRM_UNLOCKED)
 		retcode = func(dev, kdata, file_priv);