| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YFNswT3+488rC5Tl@pendragon.ideasonboard.com>
Date: Thu, 18 Mar 2021 17:07:45 +0200
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Mauro Carvalho Chehab <mchehab@...nel.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Arnd Bergmann <arnd@...db.de>,
syzbot+142888ffec98ab194028@...kaller.appspotmail.com,
Hans Verkuil <hverkuil-cisco@...all.nl>,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] media: v4l2-core: explicitly clear ioctl input data
Hi Arnd,
Thank you for the patch.
On Thu, Mar 18, 2021 at 02:43:19PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> As seen from a recent syzbot bug report, mistakes in the compat ioctl
> implementation can lead to uninitialized kernel stack data getting used
> as input for driver ioctl handlers.
>
> The reported bug is now fixed, but it's possible that other related
> bugs are still present or get added in the future. As the drivers need
> to check user input already, the possible impact is fairly low, but it
> might still cause an information leak.
>
> To be on the safe side, always clear the entire ioctl buffer before
> calling the conversion handler functions that are meant to initialize
> them.
>
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
> ---
> drivers/media/v4l2-core/v4l2-ioctl.c | 51 ++++++++++++++++------------
> 1 file changed, 29 insertions(+), 22 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 2b1bb68dc27f..6cec92d0972c 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3164,12 +3164,23 @@ static int video_get_user(void __user *arg, void *parg,
>
> if (cmd == real_cmd) {
> if (copy_from_user(parg, (void __user *)arg, n))
> - err = -EFAULT;
> - } else if (in_compat_syscall()) {
> - err = v4l2_compat_get_user(arg, parg, cmd);
> - } else {
> - switch (cmd) {
> + return -EFAULT;
> +
> + /* zero out anything we don't copy from userspace */
> + if (n < _IOC_SIZE(real_cmd))
> + memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
> +
> + return 0;
> + }
> +
> + /* zero out whole buffer first to deal with missing emulation */
> + memset(parg, 0, _IOC_SIZE(real_cmd));
> +
> + if (in_compat_syscall())
> + return v4l2_compat_get_user(arg, parg, cmd);
> +
> #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
> + switch (cmd) {
> case VIDIOC_QUERYBUF_TIME32:
> case VIDIOC_QBUF_TIME32:
> case VIDIOC_DQBUF_TIME32:
> @@ -3182,28 +3193,24 @@ static int video_get_user(void __user *arg, void *parg,
>
> *vb = (struct v4l2_buffer) {
> .index = vb32.index,
> - .type = vb32.type,
> - .bytesused = vb32.bytesused,
> - .flags = vb32.flags,
> - .field = vb32.field,
> - .timestamp.tv_sec = vb32.timestamp.tv_sec,
> - .timestamp.tv_usec = vb32.timestamp.tv_usec,
> - .timecode = vb32.timecode,
> - .sequence = vb32.sequence,
> - .memory = vb32.memory,
> - .m.userptr = vb32.m.userptr,
> - .length = vb32.length,
> - .request_fd = vb32.request_fd,
> + .type = vb32.type,
> + .bytesused = vb32.bytesused,
> + .flags = vb32.flags,
> + .field = vb32.field,
> + .timestamp.tv_sec = vb32.timestamp.tv_sec,
> + .timestamp.tv_usec = vb32.timestamp.tv_usec,
> + .timecode = vb32.timecode,
> + .sequence = vb32.sequence,
> + .memory = vb32.memory,
> + .m.userptr = vb32.m.userptr,
> + .length = vb32.length,
> + .request_fd = vb32.request_fd,
> };
> break;
> }
> -#endif
> - }
> }
> +#endif
>
> - /* zero out anything we don't copy from userspace */
> - if (!err && n < _IOC_SIZE(real_cmd))
> - memset((u8 *)parg + n, 0, _IOC_SIZE(real_cmd) - n);
> return err;
> }
>
--
Regards,
Laurent Pinchart
Powered by blists - more mailing lists