[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <690213fd-d3d2-2253-dcb2-367a65b34f38@amd.com>
Date: Fri, 31 Jul 2020 08:57:53 +0200
From: Christian König <christian.koenig@....com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Luben Tuikov <luben.tuikov@....com>
Cc: Alex Deucher <alexdeucher@...il.com>,
Xiaojie Yuan <xiaojie.yuan@....com>,
Thomas Zimmermann <tzimmermann@...e.de>,
Arnd Bergmann <arnd@...db.de>, David Airlie <airlied@...ux.ie>,
Felix Kuehling <Felix.Kuehling@....com>,
LKML <linux-kernel@...r.kernel.org>,
amd-gfx list <amd-gfx@...ts.freedesktop.org>,
Nicholas Kazlauskas <nicholas.kazlauskas@....com>,
Marek Olšák <marek.olsak@....com>,
Hans de Goede <hdegoede@...hat.com>, Trek <trek00@...ox.ru>,
Maling list - DRI developers
<dri-devel@...ts.freedesktop.org>, Daniel Vetter <daniel@...ll.ch>,
Alex Deucher <alexander.deucher@....com>,
Evan Quan <evan.quan@....com>, Leo Liu <leo.liu@....com>,
Peilin Ye <yepeilin.cs@...il.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent
kernel-infoleak in amdgpu_info_ioctl()
Am 31.07.20 um 08:53 schrieb Greg Kroah-Hartman:
> On Thu, Jul 30, 2020 at 05:09:07PM -0400, Luben Tuikov wrote:
>> On 2020-07-29 9:49 a.m., Alex Deucher wrote:
>>> On Wed, Jul 29, 2020 at 4:11 AM Christian König
>>> <ckoenig.leichtzumerken@...il.com> wrote:
>>>> Am 28.07.20 um 21:29 schrieb Peilin Ye:
>>>>> Compiler leaves a 4-byte hole near the end of `dev_info`, causing
>>>>> amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace
>>>>> when `size` is greater than 356.
>>>>>
>>>>> In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which
>>>>> unfortunately does not initialize that 4-byte hole. Fix it by using
>>>>> memset() instead.
>>>>>
>>>>> Cc: stable@...r.kernel.org
>>>>> Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()")
>>>>> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
>>>>> Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
>>>>> Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
>>>> Reviewed-by: Christian König <christian.koenig@....com>
>>>>
>>>> I can't count how many of those we have fixed over the years.
>>>>
>>>> At some point we should probably document that using "= {}" or "= { 0 }"
>>>> in the kernel is a really bad idea and should be avoided.
>>> Moreover, it seems like different compilers seem to behave relatively
>>> differently with these and we often get reports of warnings with these
>>> on clang. When in doubt, memset.
>> There are quite a few of those under drivers/gpu/drm, for "amd/", "scheduler/"
>> drm*.c files,
>>
>> $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./scheduler/.*\.c" \) -exec egrep -n -- " *= *{ *(|NULL|0) *}" \{\} \+ | wc -l
>> 374
>> $_
>>
>> Out of which only 16 are of the non-ISO C variety, "= {}",
>>
>> $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./scheduler/.*\.c" \) -exec egrep -n -- " *= *{ *}" \{\} \+ | wc -l
>> 16
>> $_
>>
>> Perhaps the latter are the more pressing ones, since it is a C++ initializer and not a ISO C one.
> It only matters when we care copying the data to userspace, if it all
> stays in the kernel, all is fine.
Well only as long as you don't try to compute a CRC32, MD5 or any
fingerprint for a hash from the bytes from the structure.
Then it fails horrible and you wonder why the code doesn't works as
expected.
Regards,
Christian.
>
> thanks,
>
> greg k-h
Powered by blists - more mailing lists