drm: fix leak of uninitialized data to userspace (1147c9cd) · Commits · 戴 / test

drivers/gpu/drm/drm_ioctl.c

+7 −3

Original line number	Diff line number	Diff line
		@@ -92,7 +92,8 @@ int drm_setunique(struct drm_device dev, void data,
		return -EINVAL;

		master->unique_len = u->unique_len;
		master->unique = drm_alloc(u->unique_len + 1, DRM_MEM_DRIVER);
		master->unique_size = u->unique_len + 1;
		master->unique = drm_alloc(master->unique_size, DRM_MEM_DRIVER);
		if (!master->unique)
		return -ENOMEM;
		if (copy_from_user(master->unique, u->unique, master->unique_len))
		@@ -136,7 +137,8 @@ static int drm_set_busid(struct drm_device dev, struct drm_file file_priv)
		return -EBUSY;

		master->unique_len = 40;
		master->unique = drm_alloc(master->unique_len + 1, DRM_MEM_DRIVER);
		master->unique_size = master->unique_len;
		master->unique = drm_alloc(master->unique_size, DRM_MEM_DRIVER);
		if (master->unique == NULL)
		return -ENOMEM;

		@@ -145,8 +147,10 @@ static int drm_set_busid(struct drm_device dev, struct drm_file file_priv)
		dev->pdev->bus->number,
		PCI_SLOT(dev->pdev->devfn),
		PCI_FUNC(dev->pdev->devfn));
		if (len > master->unique_len)
		if (len >= master->unique_len)
		DRM_ERROR("buffer overflow");
		else
		master->unique_len = len;

		dev->devname =
		drm_alloc(strlen(dev->driver->pci_driver.name) + master->unique_len +

+1 −1

Original line number	Diff line number	Diff line
		@@ -117,7 +117,7 @@ static void drm_master_destroy(struct kref *kref)
		dev->driver->master_destroy(dev, master);

		if (master->unique) {
		drm_free(master->unique, strlen(master->unique) + 1, DRM_MEM_DRIVER);
		drm_free(master->unique, master->unique_size, DRM_MEM_DRIVER);
		master->unique = NULL;
		master->unique_len = 0;
		}

+1 −0

Original line number	Diff line number	Diff line
		@@ -627,6 +627,7 @@ struct drm_master {

		char unique; /< Unique identifier: e.g., busid /
		int unique_len; /*< Length of unique field /
		int unique_size; /*< amount allocated /

		int blocked; /*< Blocked due to VC switch? /