| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200726221056.GJ28704@pendragon.ideasonboard.com>
Date: Mon, 27 Jul 2020 01:10:56 +0300
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Peilin Ye <yepeilin.cs@...il.com>
Cc: Mauro Carvalho Chehab <mchehab@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
syzkaller-bugs@...glegroups.com,
Hans Verkuil <hverkuil-cisco@...all.nl>,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
Arnd Bergmann <arnd@...db.de>,
Vandana BN <bnvandana@...il.com>,
Ezequiel Garcia <ezequiel@...labora.com>,
Niklas Söderlund
<niklas.soderlund+renesas@...natech.se>,
linux-kernel-mentees@...ts.linuxfoundation.org,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [Linux-kernel-mentees] [PATCH v2] media/v4l2-core: Fix
kernel-infoleak in video_put_user()
Hi Peilin,
Thank you for the patch.
On Sun, Jul 26, 2020 at 06:05:57PM -0400, Peilin Ye wrote:
> video_put_user() is copying uninitialized stack memory to userspace. Fix
> it by initializing `ev32` and `vb32` using memset().
How about mentioning that this is caused by the compiler not
initializing the holes ? Maybe something along the lines of
video_put_user() is copying uninitialized stack memory to userspace due
to the compiler not initializing holes in the structures declared on the
stack. Fix it by initializing the structures using memset().
Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
> Reported-and-tested-by: syzbot+79d751604cb6f29fbf59@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59
> Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
> ---
> Change in v2:
> - Do the same thing for `case VIDIOC_DQEVENT_TIME32`.
>
> drivers/media/v4l2-core/v4l2-ioctl.c | 50 +++++++++++++++-------------
> 1 file changed, 27 insertions(+), 23 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index a556880f225a..e3a25ea913ac 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3189,14 +3189,16 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd)
> #ifdef CONFIG_COMPAT_32BIT_TIME
> case VIDIOC_DQEVENT_TIME32: {
> struct v4l2_event *ev = parg;
> - struct v4l2_event_time32 ev32 = {
> - .type = ev->type,
> - .pending = ev->pending,
> - .sequence = ev->sequence,
> - .timestamp.tv_sec = ev->timestamp.tv_sec,
> - .timestamp.tv_nsec = ev->timestamp.tv_nsec,
> - .id = ev->id,
> - };
> + struct v4l2_event_time32 ev32;
> +
> + memset(&ev32, 0, sizeof(ev32));
> +
> + ev32.type = ev->type;
> + ev32.pending = ev->pending;
> + ev32.sequence = ev->sequence;
> + ev32.timestamp.tv_sec = ev->timestamp.tv_sec;
> + ev32.timestamp.tv_nsec = ev->timestamp.tv_nsec;
> + ev32.id = ev->id;
>
> memcpy(&ev32.u, &ev->u, sizeof(ev->u));
> memcpy(&ev32.reserved, &ev->reserved, sizeof(ev->reserved));
> @@ -3210,21 +3212,23 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd)
> case VIDIOC_DQBUF_TIME32:
> case VIDIOC_PREPARE_BUF_TIME32: {
> struct v4l2_buffer *vb = parg;
> - struct v4l2_buffer_time32 vb32 = {
> - .index = vb->index,
> - .type = vb->type,
> - .bytesused = vb->bytesused,
> - .flags = vb->flags,
> - .field = vb->field,
> - .timestamp.tv_sec = vb->timestamp.tv_sec,
> - .timestamp.tv_usec = vb->timestamp.tv_usec,
> - .timecode = vb->timecode,
> - .sequence = vb->sequence,
> - .memory = vb->memory,
> - .m.userptr = vb->m.userptr,
> - .length = vb->length,
> - .request_fd = vb->request_fd,
> - };
> + struct v4l2_buffer_time32 vb32;
> +
> + memset(&vb32, 0, sizeof(vb32));
> +
> + vb32.index = vb->index;
> + vb32.type = vb->type;
> + vb32.bytesused = vb->bytesused;
> + vb32.flags = vb->flags;
> + vb32.field = vb->field;
> + vb32.timestamp.tv_sec = vb->timestamp.tv_sec;
> + vb32.timestamp.tv_usec = vb->timestamp.tv_usec;
> + vb32.timecode = vb->timecode;
> + vb32.sequence = vb->sequence;
> + vb32.memory = vb->memory;
> + vb32.m.userptr = vb->m.userptr;
> + vb32.length = vb->length;
> + vb32.request_fd = vb->request_fd;
>
> if (copy_to_user(arg, &vb32, sizeof(vb32)))
> return -EFAULT;
--
Regards,
Laurent Pinchart
Powered by blists - more mailing lists