diff options
| author | Zhen Ni <zhen.ni@easystack.cn> | 2025-09-28 14:37:37 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-10-15 12:00:24 +0200 |
| commit | 48c96b7e9e03516936d6deba54b5553097eae817 (patch) | |
| tree | 4ed8c111549f39b41a9af82bff8ffffcf0a1a5f0 /drivers/input | |
| parent | 2c988e1f9df01ab0ff7caa28ad5c08b2313cc40a (diff) | |
| download | linux-48c96b7e9e03516936d6deba54b5553097eae817.tar.gz linux-48c96b7e9e03516936d6deba54b5553097eae817.tar.bz2 linux-48c96b7e9e03516936d6deba54b5553097eae817.zip | |
Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/input')
| -rw-r--r-- | drivers/input/misc/uinput.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c index 2c51ea9d01d7..13336a2fd49c 100644 --- a/drivers/input/misc/uinput.c +++ b/drivers/input/misc/uinput.c @@ -775,6 +775,7 @@ static int uinput_ff_upload_to_user(char __user *buffer, if (in_compat_syscall()) { struct uinput_ff_upload_compat ff_up_compat; + memset(&ff_up_compat, 0, sizeof(ff_up_compat)); ff_up_compat.request_id = ff_up->request_id; ff_up_compat.retval = ff_up->retval; /* |