lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20200727161932.322955-1-yepeilin.cs@gmail.com>
Date:   Mon, 27 Jul 2020 12:19:32 -0400
From:   Peilin Ye <yepeilin.cs@...il.com>
To:     Jens Axboe <axboe@...nel.dk>
Cc:     Peilin Ye <yepeilin.cs@...il.com>,
        Dan Carpenter <dan.carpenter@...cle.com>,
        Arnd Bergmann <arnd@...db.de>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel-mentees@...ts.linuxfoundation.org,
        linux-block@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [Linux-kernel-mentees] [PATCH] block/scsi-ioctl: Prevent kernel-infoleak in scsi_put_cdrom_generic_arg()

scsi_put_cdrom_generic_arg() is copying uninitialized stack memory to
userspace due to the compiler not initializing holes in statically
allocated structures. Fix it by initializing `cgc32` using memset().

Cc: stable@...r.kernel.org
Fixes: f3ee6e63a9df ("compat_ioctl: move CDROM_SEND_PACKET handling into scsi")
Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
Suggested-by: Arnd Bergmann <arnd@...db.de>
Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
---
 block/scsi_ioctl.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index ef722f04f88a..1b7f85634751 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -692,16 +692,19 @@ static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc,
 {
 #ifdef CONFIG_COMPAT
 	if (in_compat_syscall()) {
-		struct compat_cdrom_generic_command cgc32 = {
-			.buffer		= (uintptr_t)(cgc->buffer),
-			.buflen		= cgc->buflen,
-			.stat		= cgc->stat,
-			.sense		= (uintptr_t)(cgc->sense),
-			.data_direction	= cgc->data_direction,
-			.quiet		= cgc->quiet,
-			.timeout	= cgc->timeout,
-			.reserved[0]	= (uintptr_t)(cgc->reserved[0]),
-		};
+		struct compat_cdrom_generic_command cgc32;
+
+		memset(&cgc32, 0, sizeof(cgc32));
+
+		cgc32.buffer	= (uintptr_t)(cgc->buffer);
+		cgc32.buflen	= cgc->buflen;
+		cgc32.stat	= cgc->stat;
+		cgc32.sense	= (uintptr_t)(cgc->sense);
+		cgc32.data_direction	= cgc->data_direction;
+		cgc32.quiet	= cgc->quiet;
+		cgc32.timeout	= cgc->timeout;
+		cgc32.reserved[0]	= (uintptr_t)(cgc->reserved[0]);
+
 		memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE);
 
 		if (copy_to_user(arg, &cgc32, sizeof(cgc32)))
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ