lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YMeKI4OZrtS529BO@pendragon.ideasonboard.com>
Date:   Mon, 14 Jun 2021 19:56:03 +0300
From:   Laurent Pinchart <laurent.pinchart@...asonboard.com>
To:     Arnd Bergmann <arnd@...nel.org>
Cc:     Hans Verkuil <hverkuil-cisco@...all.nl>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Arnd Bergmann <arnd@...db.de>,
        "Lad, Prabhakar" <prabhakar.csengg@...il.com>,
        Eduardo Valentin <edubezval@...il.com>,
        Sakari Ailus <sakari.ailus@...ux.intel.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Vaibhav Gupta <vaibhavgupta40@...il.com>,
        Liu Shixin <liushixin2@...wei.com>,
        Jacopo Mondi <jacopo+renesas@...ndi.org>,
        Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
        linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
        linux-staging@...ts.linux.dev
Subject: Re: [PATCH v3 2/8] media: v4l2-core: explicitly clear ioctl input
 data

Hi Arnd,

Thank you for the patch.

On Mon, Jun 14, 2021 at 12:34:03PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
> 
> As seen from a recent syzbot bug report, mistakes in the compat ioctl
> implementation can lead to uninitialized kernel stack data getting used
> as input for driver ioctl handlers.
> 
> The reported bug is now fixed, but it's possible that other related
> bugs are still present or get added in the future. As the drivers need
> to check user input already, the possible impact is fairly low, but it
> might still cause an information leak.
> 
> To be on the safe side, always clear the entire ioctl buffer before
> calling the conversion handler functions that are meant to initialize
> them.
> 
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
>  drivers/media/v4l2-core/v4l2-ioctl.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 58df927aec7e..f19e56116e53 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3124,8 +3124,10 @@ static int video_get_user(void __user *arg, void *parg,
>  		if (copy_from_user(parg, (void __user *)arg, n))
>  			err = -EFAULT;
>  	} else if (in_compat_syscall()) {
> +		memset(parg, 0, n);
>  		err = v4l2_compat_get_user(arg, parg, cmd);
>  	} else {
> +		memset(parg, 0, n);

This could possibly be moved with the #if block by making it cover the
whole switch, but I don't think this code path will be hit when cmd
isn't one of the values handled below, so it shouldn't matter.

Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>

>  		switch (cmd) {
>  #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
>  		case VIDIOC_QUERYBUF_TIME32:

-- 
Regards,

Laurent Pinchart

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ