lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 10 Oct 2008 17:32:55 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Vegard Nossum <vegard.nossum@...il.com>
Cc:	Sitsofe Wheeler <sitsofe@...oo.com>,
	Vegard Nossum <vegardno@....uio.no>,
	Dave Airlie <airlied@...hat.com>,
	Pekka Enberg <penberg@...helsinki.fi>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] drm: fix leak of uninitialized data to userspace
	(acpi_system_read_event)


* Vegard Nossum <vegard.nossum@...il.com> wrote:

> On Fri, Oct 10, 2008 at 4:37 PM, Ingo Molnar <mingo@...e.hu> wrote:
> > * Sitsofe Wheeler <sitsofe@...oo.com> wrote:
> >> > Sitsofe, could you please check very latest tip/master with
> >> > CONFIG_KMEMCHECK=y, does it find any other uninitialized memory access?
> >>
> >> No other uninitialized memory access so far (although having kmemcheck on does seem to provoke rcu stall warnings)...
> 
> Does that also mean that the DRM patch fixed the first one? :-)
> 
> >>
> >> ...I take it back. This just turned up:
> >> [  992.417019] WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (f2363d14)
> >> [  992.417033] 000110000002200061635f61646170746572000000000000cc2c030041433000
> >> [  992.417077]  i i i i i i i i i i i i i i i i i i i u u u u u u u u u i i i i
> >> [  992.417117]                                          ^
> >> [  992.417121]
> >> [  992.417127] Pid: 1893, comm: acpid Not tainted (2.6.27-tipskw-00088-g9f41241-dirty #84) 900
> >> [  992.417134] EIP: 0060:[<c025fbdd>] EFLAGS: 00000286 CPU: 0
> >> [  992.417147] EIP is at acpi_bus_receive_event+0xd6/0x109
> >> [  992.417153] EAX: 00054489 EBX: f2363d00 ECX: 00000006 EDX: ffffffed
> >> [  992.417158] ESI: f2363d14 EDI: f6057f28 EBP: f6057f08 ESP: c0566d68
> >> [  992.417164]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> >> [  992.417169] CR0: 8005003b CR2: f6671034 CR3: 360ea000 CR4: 000006c0
> >> [  992.417175] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> >> [  992.417180] DR6: ffff4ff0 DR7: 00000400
> >> [  992.417184]  [<c026b86f>] acpi_system_read_event+0x49/0xc5
> >> [  992.417195]  [<c01b2381>] proc_reg_read+0x61/0x90
> >> [  992.417206]  [<c017efb5>] vfs_read+0x95/0x120
> >> [  992.417215]  [<c017f5f2>] sys_read+0x42/0x70
> >> [  992.417222]  [<c010336d>] sysenter_do_call+0x12/0x35
> >> [  992.417230]  [<ffffffff>] 0xffffffff
> >
> > this too could be a real bug i think, uncovered by kmemcheck. Vegard?
> 
> No, it looks OK.
> 
> acpi_bus_receive_event() gets an entry off the acpi_bus_event_list and
> copies it to the "struct acpi_bus_event event;" found in
> acpi_system_read_event. So it's a dynamic-memory-to-stack copy.
> 
> It is added to the list in acpi_bus_generate_proc_event4(), which also
> allocates the event and copies some strings into it:
> 
>         strcpy(event->device_class, device_class);
>         strcpy(event->bus_id, bus_id);
> 
> And these are defined as character arrays:
> 
>     typedef char acpi_device_class[20];
>     typedef char acpi_bus_id[5];
> ...
>     struct acpi_bus_event {
>             struct list_head node;
>             acpi_device_class device_class;
>             acpi_bus_id bus_id;
> 
> It would be cool to be track the stack as well (can we tell #PF to
> switch stacks?).  [...]

yeah, the stack would be very interesting to track. Wont be too fast but 
that's part of the deal ...

> [...] Or maybe allow memcpy() of anything to stack, that shouldn't be 
> too hard. Again, it's a balance. Allowing too much in general will 
> throw the child out with the bathwater. Maybe the easiest solution for 
> now is to annotate them. We can do it with the bitfields API in two 
> lines of code extra.

i'd suggest to go for maximum detection power, with smart annotations to 
avoid all false positives. Perhaps with tricks to improve the code in 
other ways too so that we dont have to a change 'only' for annotation 
purposes.

For example many lockdep annotations document the locking rules of a 
given piece of code - that's very useful independently of the 
correctness checking aspect.

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ