pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace

riteshharjani · gregkh · commit 0479b6e9f999 · 2026-05-14T15:30:16.000+02:00
commit cefeed4 upstream. The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user(). This patch fixes that by initializing the whole struct to 0. Cc: stable@vger.kernel.org Fixes: cebdb52 ("powerpc/pseries: Receive payload with ibm,receive-hvpipe-msg RTAS") Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com> Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com> Link: https://patch.msgid.link/7bfe03b65a282c856ed8182d1871bb973c0b78f2.1777606826.git.ritesh.list@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/arch/powerpc/platforms/pseries/papr-hvpipe.c b/arch/powerpc/platforms/pseries/papr-hvpipe.c
@@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,
 {
 
 	struct hvpipe_source_info *src_info = file->private_data;
-	struct papr_hvpipe_hdr hdr;
+	struct papr_hvpipe_hdr hdr = {};
 	long ret;
 
 	/*

Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ static ssize_t papr_hvpipe_handle_read(struct file *file,`
`327`	`327`	`{`
`328`	`328`
`329`	`329`	`struct hvpipe_source_info *src_info = file->private_data;`
`330`		`- struct papr_hvpipe_hdr hdr;`
	`330`	`+ struct papr_hvpipe_hdr hdr = {};`
`331`	`331`	`long ret;`
`332`	`332`
`333`	`333`	`/*`