lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2020 18:33:57 -0400 From: Peilin Ye <yepeilin.cs@...il.com> To: Dan Carpenter <dan.carpenter@...cle.com> Cc: Arnd Bergmann <arnd@...db.de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-kernel-mentees@...ts.linuxfoundation.org, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user() On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote: > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags') (Removed some Cc: recipients from the list.) I'm not very sure, but I think this one is also a false positive. Here Smatch is complaining about a linked list called `my_raw_cmd` defined in raw_cmd_ioctl(): drivers/block/floppy.c:3249: ret = raw_cmd_copyin(cmd, param, &my_raw_cmd); In raw_cmd_copyin(), each element of the linked list is allocated by kmalloc() then copied from user: drivers/block/floppy.c:3180: loop: ptr = kmalloc(sizeof(struct floppy_raw_cmd), GFP_KERNEL); ^^^^^^^ if (!ptr) return -ENOMEM; *rcmd = ptr; ret = copy_from_user(ptr, param, sizeof(*ptr)); ^^^^^^^^^^^^^^ I think copy_from_user() is filling in the paddings inside `struct floppy_raw_cmd`? Thank you, Peilin Ye
Powered by blists - more mailing lists