From 7f8fb2749b39c2bdb5b2cf7e93aed9ceccafee00 Mon Sep 17 00:00:00 2001 From: "jino.cho" Date: Thu, 18 Aug 2016 15:02:48 +0900 Subject: [PATCH] drm: fix data structure mismatch between kernel and user This patch fixes data structure mismatch issue between kerenl and user space. In compat fuction, compat_drm_mode_addfb2(), there was no consideration about the data structure mismatch. Change-Id: Iae6568e6112a206f98ed7a380ba462de9d71ee5f Signed-off-by: jino.cho --- drivers/gpu/drm/drm_ioc32.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c index a628975..735bd07 100644 --- a/drivers/gpu/drm/drm_ioc32.c +++ b/drivers/gpu/drm/drm_ioc32.c @@ -1034,12 +1034,20 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd, struct drm_mode_fb_cmd232 __user *argp = (void __user *)arg; struct drm_mode_fb_cmd232 req32; struct drm_mode_fb_cmd2 __user *req64; + unsigned int usize, asize, drv_size; int i; int err; - if (copy_from_user(&req32, argp, sizeof(req32))) + drv_size = sizeof(req32); + usize = _IOC_SIZE(cmd); + asize = max(usize, drv_size); + + if (copy_from_user(&req32, argp, usize)) return -EFAULT; + if (asize > usize) + memset((char *)&req32 + usize, 0, asize - usize); + req64 = compat_alloc_user_space(sizeof(*req64)); if (!access_ok(VERIFY_WRITE, req64, sizeof(*req64)) @@ -1067,7 +1075,7 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd, if (__get_user(req32.fb_id, &req64->fb_id)) return -EFAULT; - if (copy_to_user(argp, &req32, sizeof(req32))) + if (copy_to_user(argp, &req32, usize)) return -EFAULT; return 0; -- 2.7.4