| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAK8P3a2i2mnRPZ-f9UNxPNJcjyjdTOA7-fgcMqavsV8Ab17RkQ@mail.gmail.com>
Date: Thu, 30 Jul 2020 11:18:04 +0200
From: Arnd Bergmann <arnd@...db.de>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc: Bartosz Golaszewski <brgl@...ev.pl>,
Dan Carpenter <dan.carpenter@...cle.com>,
Linus Walleij <linus.walleij@...aro.org>,
Peilin Ye <yepeilin.cs@...il.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Vandana BN <bnvandana@...il.com>,
Ezequiel Garcia <ezequiel@...labora.com>,
Niklas Söderlund
<niklas.soderlund+renesas@...natech.se>,
linux-kernel-mentees@...ts.linuxfoundation.org,
Linux Media Mailing List <linux-media@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix
kernel-infoleak in video_put_user()
On Thu, Jul 30, 2020 at 10:38 AM Andy Shevchenko
<andriy.shevchenko@...ux.intel.com> wrote:
> On Thu, Jul 30, 2020 at 10:15:24AM +0200, Arnd Bergmann wrote:
> > On Thu, Jul 30, 2020 at 10:07 AM Bartosz Golaszewski <brgl@...ev.pl> wrote:
> > >
> > > On Tue, Jul 28, 2020 at 3:58 PM Arnd Bergmann <arnd@...db.de> wrote:
> > > >
> > > > On Tue, Jul 28, 2020 at 3:06 PM Dan Carpenter <dan.carpenter@...cle.com> wrote:
> > > > Something like
> > > >
> > > > static int lineevent_put_data(void __user *uptr, struct gpioevent_data *ge)
> > > > {
> > > > #ifdef __x86_64__
> > > > /* i386 has no padding after 'id' */
> > > > if (in_ia32_syscall()) {
> > > > struct {
> > > > compat_u64 timestamp __packed;
> > > > u32 id;
> > > > } compat_ge = { ge->timestamp, ge->id };
> > > >
> > > > if (copy_to_user(uptr, &compat_ge, sizeof(compat_ge)))
> > > > return -EFAULT;
> > > >
> > > > return sizeof(compat_ge);
> > > > }
> > > > #endif
> > > >
> > > > if (copy_to_user(uptr, ge, sizeof(*ge))
> > > > return -EFAULT;
> > > >
> > > > return sizeof(*ge);
> > > > }
> > > >
> > > > Arnd
> > >
> > > Hi Arnd,
> > >
> > > Andy actually had a patch for that but since this isn't a regression
> > > (it never worked), we decided to leave it as it is and get it right in
> > > v2 API.
> >
> > I would argue that it needs to be fixed anyway, unless you also want
> > to remove the v1 interface for native mode. If this works on 32-bit
> > kernels, on 64-bit kernels with 64-bit user space and on compat
> > 32-bit user space on 64-bit non-x86 architectures, I see no reason
> > to leave it broken specifically on x86 compat user space. There are
> > still reasons to use 32-bit x86 user space for low-memory machines
> > even though native i386 kernels are getting increasingly silly.
>
> It was possible to "fix" (mitigate to some extent) before libgpiod got support
> for several events in a request. Now it seems to be impossible to fix. AFAIU we
> must discard any request to more than one event in it.
Any reason why the workaround I suggested above would not work?
The in_ia32_syscall() check should be completely reliable in telling whether
we are called from read() by an ia32 task or not, and we use the same
logic for input_event, which has a similar problem (on all compat architectures,
not just x86).
> However I'm not an expert in compat IOCTL code (you are :-) and perhaps you may
> provide ideas better than mine.
What makes this interface tricky is that this is actually a read() call, not
ioctl() which is usually easier because it encodes the data length in the
command code. As far as I could tell from skimming the interface, the
ioctls are actually fine here.
Arnd
Powered by blists - more mailing lists