powerpc: Zero fill the return values of rtas argument buffer

The kernel copy of the rtas args struct contains the return value(s) for the specified rtas call. These are copied back to user space with the assumption that every value has been set by the rtas call, which turns out to be not always true. Thus userspace can see random values and think the call failed when in fact it succeeded, but for some reason didn't set one of the return values. This fixes the problem by zeroing out the return value fields of the rtas args struct before processing the rtas call. Signed-off-by: Nathan Fontenot <nfont@austin.ibm.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
mariux64 · Aug 11, 2008 · b79998f · b79998f
1 parent 9ea7d5a
commit b79998f
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
@@ -792,6 +792,9 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs)
 	if (args.token == RTAS_UNKNOWN_SERVICE)
 		return -EINVAL;
 
+	args.rets = &args.args[nargs];
+	memset(args.rets, 0, args.nret * sizeof(rtas_arg_t));
+
 	/* Need to handle ibm,suspend_me call specially */
 	if (args.token == ibm_suspend_me_token) {
 		rc = rtas_ibm_suspend_me(&args);
@@ -808,8 +811,6 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs)
 	enter_rtas(__pa(&rtas.args));
 	args = rtas.args;
 
-	args.rets = &args.args[nargs];
-
 	/* A -1 return code indicates that the last command couldn't
 	   be completed due to a hardware error. */
 	if (args.rets[0] == -1)