lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 10 Oct 2008 16:37:07 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Sitsofe Wheeler <sitsofe@...oo.com>
Cc:	Vegard Nossum <vegardno@....uio.no>,
	Dave Airlie <airlied@...hat.com>,
	Pekka Enberg <penberg@...helsinki.fi>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drm: fix leak of uninitialized data to userspace
	(acpi_system_read_event)


* Sitsofe Wheeler <sitsofe@...oo.com> wrote:

> > From: Ingo Molnar <mingo@...e.hu>
> 
> > 
> > * Vegard Nossum wrote:
> >
> > > ...so it seems that dev->unique is never updated to reflect the
> > > actual length of the string. The remaining bytes (20 in this case)
> > > are random uninitialized bytes that are copied into userspace.
> > > 
> > > This patch fixes the problem by setting dev->unique_len after the
> > > snprintf().
> > > 
> > > Completely untested.
> > > 
> > > Reported-by: Sitsofe Wheeler 
> > > Signed-off-by: Vegard Nossum 
> > 
> > i've stuck it into the tip/out-of-tree quick-fixes branch.
> > 
> > Sitsofe, could you please check very latest tip/master with 
> > CONFIG_KMEMCHECK=y, does it find any other uninitialized memory access?
> 
> No other uninitialized memory access so far (although having kmemcheck on does seem to provoke rcu stall warnings)...
> 
> ...I take it back. This just turned up:
> [  992.417019] WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (f2363d14)
> [  992.417033] 000110000002200061635f61646170746572000000000000cc2c030041433000
> [  992.417077]  i i i i i i i i i i i i i i i i i i i u u u u u u u u u i i i i
> [  992.417117]                                          ^
> [  992.417121] 
> [  992.417127] Pid: 1893, comm: acpid Not tainted (2.6.27-tipskw-00088-g9f41241-dirty #84) 900
> [  992.417134] EIP: 0060:[<c025fbdd>] EFLAGS: 00000286 CPU: 0
> [  992.417147] EIP is at acpi_bus_receive_event+0xd6/0x109
> [  992.417153] EAX: 00054489 EBX: f2363d00 ECX: 00000006 EDX: ffffffed
> [  992.417158] ESI: f2363d14 EDI: f6057f28 EBP: f6057f08 ESP: c0566d68
> [  992.417164]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [  992.417169] CR0: 8005003b CR2: f6671034 CR3: 360ea000 CR4: 000006c0
> [  992.417175] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> [  992.417180] DR6: ffff4ff0 DR7: 00000400
> [  992.417184]  [<c026b86f>] acpi_system_read_event+0x49/0xc5
> [  992.417195]  [<c01b2381>] proc_reg_read+0x61/0x90
> [  992.417206]  [<c017efb5>] vfs_read+0x95/0x120
> [  992.417215]  [<c017f5f2>] sys_read+0x42/0x70
> [  992.417222]  [<c010336d>] sysenter_do_call+0x12/0x35
> [  992.417230]  [<ffffffff>] 0xffffffff

this too could be a real bug i think, uncovered by kmemcheck. Vegard?

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ