[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200728094707.GF2571@kadam>
Date: Tue, 28 Jul 2020 12:47:07 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Peilin Ye <yepeilin.cs@...il.com>
Cc: Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel-mentees@...ts.linuxfoundation.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix
kernel-infoleak in video_put_user()
On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote:
> On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags')
>
> (Removed some Cc: recipients from the list.)
>
> I'm not very sure, but I think this one is also a false positive.
No, it's a potential bug. You're over thinking what Smatch is
complaining about. Arnd is right.
3123 static int raw_cmd_copyout(int cmd, void __user *param,
3124 struct floppy_raw_cmd *ptr)
3125 {
3126 int ret;
3127
3128 while (ptr) {
3129 struct floppy_raw_cmd cmd = *ptr;
^^^^^^^^^^
The compiler can either do this assignment as an memcpy() or as a
series of struct member assignments. So the assignment can leave the
struct hole uninitialized.
3130 cmd.next = NULL;
3131 cmd.kernel_data = NULL;
3132 ret = copy_to_user(param, &cmd, sizeof(cmd));
^^^^
potential info leak.
3133 if (ret)
3134 return -EFAULT;
3135 param += sizeof(struct floppy_raw_cmd);
3136 if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) {
3137 if (ptr->length >= 0 &&
3138 ptr->length <= ptr->buffer_length) {
3139 long length = ptr->buffer_length - ptr->length;
3140 ret = fd_copyout(ptr->data, ptr->kernel_data,
3141 length);
3142 if (ret)
3143 return ret;
3144 }
3145 }
3146 ptr = ptr->next;
3147 }
3148
3149 return 0;
3150 }
regards,
dan carpenter
Powered by blists - more mailing lists