Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.

Initialize ff_up_compat to zero before filling valid fields.

Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

authored by

Zhen Ni and committed by

Dmitry Torokhov 6 months ago d3366a04 52e06d56

1 changed file

expand all

drivers

input

misc

uinput.c

drivers/input/misc/uinput.c

··· 775 775 if (in_compat_syscall()) { 776 776 struct uinput_ff_upload_compat ff_up_compat; 777 777 778 + memset(&ff_up_compat, 0, sizeof(ff_up_compat)); 778 779 ff_up_compat.request_id = ff_up->request_id; 779 780 ff_up_compat.retval = ff_up->retval; 780 781 /*