| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Oct 2019 12:40:23 -0700
From: Joe Perches <joe@...ches.com>
To: zhanglin <zhang.lin16@....com.cn>, davem@...emloft.net,
cocci <cocci@...teme.lip6.fr>,
Andrew Morton <akpm@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Linus Torvalds <torvalds@...ux-foundation.org>
Cc: ast@...nel.org, daniel@...earbox.net, jakub.kicinski@...ronome.com,
hawk@...nel.org, john.fastabend@...il.com, mkubecek@...e.cz,
jiri@...lanox.com, pablo@...filter.org, f.fainelli@...il.com,
maxime.chevallier@...tlin.com, lirongqing@...du.com,
vivien.didelot@...il.com, linyunsheng@...wei.com,
natechancellor@...il.com, arnd@...db.de, dan.carpenter@...cle.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
bpf@...r.kernel.org, xue.zhihong@....com.cn, wang.yi59@....com.cn,
jiang.xuexin@....com.cn
Subject: Re: [PATCH] net: Zeroing the structure ethtool_wolinfo in
ethtool_get_wol()
On Sat, 2019-10-26 at 15:54 +0800, zhanglin wrote:
> memset() the structure ethtool_wolinfo that has padded bytes
> but the padded bytes have not been zeroed out.
[]
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
[]
> @@ -1471,11 +1471,13 @@ static int ethtool_reset(struct net_device *dev, char __user *useraddr)
>
> static int ethtool_get_wol(struct net_device *dev, char __user *useraddr)
> {
> - struct ethtool_wolinfo wol = { .cmd = ETHTOOL_GWOL };
> + struct ethtool_wolinfo wol;
>
> if (!dev->ethtool_ops->get_wol)
> return -EOPNOTSUPP;
>
> + memset(&wol, 0, sizeof(struct ethtool_wolinfo));
> + wol.cmd = ETHTOOL_GWOL;
> dev->ethtool_ops->get_wol(dev, &wol);
>
> if (copy_to_user(useraddr, &wol, sizeof(wol)))
It seems likely there are more of these.
Is there any way for coccinelle to find them?
There are ~4000 structs in include/uapi and
there are ~3000 uses of copy_to_user in the tree.
$ git grep -P '\bstruct\s+\w+\s*{' include/uapi/ | cut -f2 -d" "|sort|uniq|wc -l
3785
$ git grep -w copy_to_user|wc -l
2854
A trivial grep and manual search using:
$ git grep -B20 -w copy_to_user | grep -A20 -P '\bstruct\s+\w+\s*=\s*{'
shows at least 1 (I didn't look very hard and stopped after finding 1):
include/uapi/linux/utsname.h:struct oldold_utsname {
include/uapi/linux/utsname.h- char sysname[9];
include/uapi/linux/utsname.h- char nodename[9];
include/uapi/linux/utsname.h- char release[9];
include/uapi/linux/utsname.h- char version[9];
include/uapi/linux/utsname.h- char machine[9];
include/uapi/linux/utsname.h-};
and
kernel/sys.c- struct oldold_utsname tmp = {};
kernel/sys.c-
kernel/sys.c- if (!name)
kernel/sys.c- return -EFAULT;
kernel/sys.c-
kernel/sys.c- down_read(&uts_sem);
kernel/sys.c- memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
kernel/sys.c- memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
kernel/sys.c- memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
kernel/sys.c- memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
kernel/sys.c- memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
kernel/sys.c- up_read(&uts_sem);
kernel/sys.c: if (copy_to_user(name, &tmp, sizeof(tmp)))
where there is likely 3 bytes of padding after 45 bytes of data
in the struct.
Powered by blists - more mailing lists