| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200728131328.GA410244@PWN>
Date: Tue, 28 Jul 2020 09:13:28 -0400
From: Peilin Ye <yepeilin.cs@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel-mentees@...ts.linuxfoundation.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix
kernel-infoleak in video_put_user()
On Tue, Jul 28, 2020 at 12:47:07PM +0300, Dan Carpenter wrote:
> On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote:
> > On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags')
> >
> > (Removed some Cc: recipients from the list.)
> >
> > I'm not very sure, but I think this one is also a false positive.
>
> No, it's a potential bug. You're over thinking what Smatch is
> complaining about. Arnd is right.
>
> 3123 static int raw_cmd_copyout(int cmd, void __user *param,
> 3124 struct floppy_raw_cmd *ptr)
> 3125 {
> 3126 int ret;
> 3127
> 3128 while (ptr) {
> 3129 struct floppy_raw_cmd cmd = *ptr;
> ^^^^^^^^^^
> The compiler can either do this assignment as an memcpy() or as a
> series of struct member assignments. So the assignment can leave the
> struct hole uninitialized.
I see, I didn't realize this line could cause the issue. Thank you for
pointing this out, I will do this then send a patch:
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 09079aee8dc4..398c261fd174 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3126,7 +3126,8 @@ static int raw_cmd_copyout(int cmd, void __user *param,
int ret;
while (ptr) {
- struct floppy_raw_cmd cmd = *ptr;
+ struct floppy_raw_cmd cmd;
+ memcpy(&cmd, ptr, sizeof(cmd));
cmd.next = NULL;
cmd.kernel_data = NULL;
ret = copy_to_user(param, &cmd, sizeof(cmd));
Thank you,
Peilin Ye
> 3130 cmd.next = NULL;
> 3131 cmd.kernel_data = NULL;
> 3132 ret = copy_to_user(param, &cmd, sizeof(cmd));
> ^^^^
> potential info leak.
>
> 3133 if (ret)
> 3134 return -EFAULT;
> 3135 param += sizeof(struct floppy_raw_cmd);
> 3136 if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) {
> 3137 if (ptr->length >= 0 &&
> 3138 ptr->length <= ptr->buffer_length) {
> 3139 long length = ptr->buffer_length - ptr->length;
> 3140 ret = fd_copyout(ptr->data, ptr->kernel_data,
> 3141 length);
> 3142 if (ret)
> 3143 return ret;
> 3144 }
> 3145 }
> 3146 ptr = ptr->next;
> 3147 }
> 3148
> 3149 return 0;
> 3150 }
>
> regards,
> dan carpenter
Powered by blists - more mailing lists