[PATCH] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak

28 Sep 2025

Struct ff_effect_compat is embedded twice inside
uinput_ff_upload_compat, contains internal padding. In particular, there
is a hole after struct ff_replay to satisfy alignment requirements for
the following union member. Without clearing the structure,
copy_to_user() may leak stack data to userspace.
Initialize ff_up_compat to zero before filling valid fields.
Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
Cc: stable@vger.kernel.org
Signed-off-by: Zhen Ni zhen.ni@easystack.cn
---
 drivers/input/misc/uinput.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 2c51ea9d01d7..13336a2fd49c 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -775,6 +775,7 @@ static int uinput_ff_upload_to_user(char __user *buffer,
    if (in_compat_syscall()) {
    	struct uinput_ff_upload_compat ff_up_compat;
+		memset(&ff_up_compat, 0, sizeof(ff_up_compat));
    	ff_up_compat.request_id = ff_up->request_id;
    	ff_up_compat.retval = ff_up->retval;
    	/*
-- 
2.20.1



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak