| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3058d741282b463d8aa7c8aff62e4326@AcuMS.aculab.com>
Date: Tue, 28 Jul 2020 12:35:17 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Peilin Ye' <yepeilin.cs@...il.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>
CC: David Airlie <airlied@...ux.ie>, Daniel Vetter <daniel@...ll.ch>,
"Dan Carpenter" <dan.carpenter@...cle.com>,
Arnd Bergmann <arnd@...db.de>,
"Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
"linux-kernel-mentees@...ts.linuxfoundation.org"
<linux-kernel-mentees@...ts.linuxfoundation.org>,
"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [Linux-kernel-mentees] [PATCH v2] drm/bufs: Prevent
kernel-infoleak in copy_one_buf()
From: Peilin Ye
> Sent: 28 July 2020 12:52
> Currently `struct drm_buf_desc` is defined as follows:
>
> struct drm_buf_desc {
> int count;
> int size;
> int low_mark;
> int high_mark;
> enum {
> _DRM_PAGE_ALIGN = 0x01,
> _DRM_AGP_BUFFER = 0x02,
> _DRM_SG_BUFFER = 0x04,
> _DRM_FB_BUFFER = 0x08,
> _DRM_PCI_BUFFER_RO = 0x10
> } flags;
> unsigned long agp_start;
> };
>
> copy_one_buf() is potentially copying uninitialized kernel stack memory
> to userspace, since the compiler may leave such "holes" (around `.flags`
> and `.agp_start` fields) in this statically allocated structure. Prevent
> it by initializing `v` with memset().
>
> Cc: stable@...r.kernel.org
> Fixes: 5c7640ab6258 ("switch compat_drm_infobufs() to drm_ioctl_kernel()")
> Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
> Acked-by: Arnd Bergmann <arnd@...db.de>
> Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
> ---
> Change in v2:
> - Improve commit description. (Suggested by Arnd Bergmann
> <arnd@...db.de>)
>
> drivers/gpu/drm/drm_bufs.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c
> index a0735fbc144b..f99cd4a3f951 100644
> --- a/drivers/gpu/drm/drm_bufs.c
> +++ b/drivers/gpu/drm/drm_bufs.c
> @@ -1349,10 +1349,14 @@ static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
> {
> struct drm_buf_info *request = data;
> struct drm_buf_desc __user *to = &request->list[count];
> - struct drm_buf_desc v = {.count = from->buf_count,
> - .size = from->buf_size,
> - .low_mark = from->low_mark,
> - .high_mark = from->high_mark};
> + struct drm_buf_desc v;
> +
> + memset(&v, 0, sizeof(v));
> +
> + v.count = from->buf_count;
> + v.size = from->buf_size;
> + v.low_mark = from->low_mark;
> + v.high_mark = from->high_mark;
>
> if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
> return -EFAULT;
The memset() isn't needed.
The copy_to_user() stops after the 4 'int' values so no 'random'
kernel stack can get copied.
Quite why it is 'right' to leave the remaining part of each
userspace structure unchanged is another matter.
David.
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists