lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAK8P3a3qrPa0Jue-eLrXn+ufBsvY4+UQr7SQ9ZHxuEMtvoYMhA@mail.gmail.com>
Date:   Fri, 4 Dec 2020 09:28:11 +0100
From:   Arnd Bergmann <arnd@...nel.org>
To:     Tzung-Bi Shih <tzungbi@...gle.com>
Cc:     Cheng-Yi Chiang <cychiang@...omium.org>,
        Liam Girdwood <lgirdwood@...il.com>,
        Mark Brown <broonie@...nel.org>,
        Jaroslav Kysela <perex@...ex.cz>,
        Takashi Iwai <tiwai@...e.com>,
        Benson Leung <bleung@...omium.org>,
        Enric Balletbo i Serra <enric.balletbo@...labora.com>,
        Arnd Bergmann <arnd@...db.de>,
        Guenter Roeck <groeck@...omium.org>,
        ALSA development <alsa-devel@...a-project.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ASoC: cros_ec_codec: fix uninitialized memory read

On Fri, Dec 4, 2020 at 3:56 AM Tzung-Bi Shih <tzungbi@...gle.com> wrote:
>
> On Fri, Dec 4, 2020 at 6:55 AM Arnd Bergmann <arnd@...nel.org> wrote:
> >
> > From: Arnd Bergmann <arnd@...db.de>
> >
> > gcc points out a memory area that is copied to a device
> > but not initialized:
> >
> > sound/soc/codecs/cros_ec_codec.c: In function 'i2s_rx_event':
> > arch/x86/include/asm/string_32.h:83:20: error: '*((void *)&p+4)' may be used uninitialized in this function [-Werror=maybe-uninitialized]
> >    83 |   *((int *)to + 1) = *((int *)from + 1);
> >
> > Initialize all the unused fields to zero.
> >
> > Fixes: 727f1c71c780 ("ASoC: cros_ec_codec: refactor I2S RX")
> > Signed-off-by: Arnd Bergmann <arnd@...db.de>
>
> Acked-by: Tzung-Bi Shih <tzungbi@...gle.com>
>
> In the case in i2s_rx_event(), only the "cmd" member is used.  But it
> is fine to please the compiler.

I wouldn't do it just to please the compiler. I sent this patch since
the code clearly copies the uninitialized data here. If only
one byte is meant to be copied, then we should change the
function call to not pass the entire structure. I'll send a new
patch for that.

> struct __ec_align4 ec_param_ec_codec_i2s_rx {
>         uint8_t cmd; /* enum ec_codec_i2s_rx_subcmd */
>         uint8_t reserved[3];
>
>         union {
>             ...
>         };
> };
>
> I am a bit curious about, in other use cases of
> ec_param_ec_codec_i2s_rx, why the compiler doesn't complain about
> uninitialization of the "reserved" member?

The -Wmaybe-uninitialized warning is fundamentally unreliable.
In this case, the __constant_memcpy() function accesses the
members one at a time, and the warning is for the first 'int' array
member that is completely uninitialized, while the 'reserved'
part of the structure is still in the first 'int' that is partially initialized.

      Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ