UPSTREAM: dm ioctl: prevent stack leak in dm ioctl call

commit 4617f564c06117c7d1b611be49521a4430042287 upstream. When calling a dm ioctl that doesn't process any data (IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct dm_ioctl are left initialized. Current code is incorrectly extending the size of data copied back to user, causing the contents of kernel stack to be leaked to user. Fix by only copying contents before data and allow the functions processing the ioctl to override. Signed-off-by: Adrian Salido <salidoa@google.com> Reviewed-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 35644370 Change-Id: I4f9a857d0f851ed37eff2d7b0f04e92dc6cf3b56
author: Adrian Salido <salidoa@google.com> 2017-04-27 10:32:55 -0700
committer: Mark Salyzyn <salyzyn@google.com> 2017-06-12 08:33:35 -0700
commit: e468d713930a359e99219be69283ac14019ce859 (patch)
tree: 764b675bf26e5bbdcdac92712c7863c6873bd965
parent: 5c6ada561458b4e59d4b6029925f3180a046440c (diff)
download: tegra-e468d713930a359e99219be69283ac14019ce859.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 1debe0433ec6..31f849931515 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1767,7 +1767,7 @@ static int ctl_ioctl(uint command, struct dm_ioctl __user *user)
 	if (r)
 		goto out;
 
-	param->data_size = sizeof(*param);
+	param->data_size = offsetof(struct dm_ioctl, data);
 	r = fn(param, input_param_size);
 
 	if (unlikely(param->flags & DM_BUFFER_FULL_FLAG) &&
author	Adrian Salido <salidoa@google.com>	2017-04-27 10:32:55 -0700
committer	Mark Salyzyn <salyzyn@google.com>	2017-06-12 08:33:35 -0700
commit	e468d713930a359e99219be69283ac14019ce859 (patch)
tree	764b675bf26e5bbdcdac92712c7863c6873bd965
parent	5c6ada561458b4e59d4b6029925f3180a046440c (diff)
download	tegra-e468d713930a359e99219be69283ac14019ce859.tar.gz