| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Jun 2021 19:56:03 +0300
From: Laurent Pinchart <laurent.pinchart@...asonboard.com>
To: Arnd Bergmann <arnd@...nel.org>
Cc: Hans Verkuil <hverkuil-cisco@...all.nl>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Arnd Bergmann <arnd@...db.de>,
"Lad, Prabhakar" <prabhakar.csengg@...il.com>,
Eduardo Valentin <edubezval@...il.com>,
Sakari Ailus <sakari.ailus@...ux.intel.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Vaibhav Gupta <vaibhavgupta40@...il.com>,
Liu Shixin <liushixin2@...wei.com>,
Jacopo Mondi <jacopo+renesas@...ndi.org>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
linux-kernel@...r.kernel.org, linux-media@...r.kernel.org,
linux-staging@...ts.linux.dev
Subject: Re: [PATCH v3 2/8] media: v4l2-core: explicitly clear ioctl input
data
Hi Arnd,
Thank you for the patch.
On Mon, Jun 14, 2021 at 12:34:03PM +0200, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
>
> As seen from a recent syzbot bug report, mistakes in the compat ioctl
> implementation can lead to uninitialized kernel stack data getting used
> as input for driver ioctl handlers.
>
> The reported bug is now fixed, but it's possible that other related
> bugs are still present or get added in the future. As the drivers need
> to check user input already, the possible impact is fairly low, but it
> might still cause an information leak.
>
> To be on the safe side, always clear the entire ioctl buffer before
> calling the conversion handler functions that are meant to initialize
> them.
>
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
> drivers/media/v4l2-core/v4l2-ioctl.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
> index 58df927aec7e..f19e56116e53 100644
> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
> @@ -3124,8 +3124,10 @@ static int video_get_user(void __user *arg, void *parg,
> if (copy_from_user(parg, (void __user *)arg, n))
> err = -EFAULT;
> } else if (in_compat_syscall()) {
> + memset(parg, 0, n);
> err = v4l2_compat_get_user(arg, parg, cmd);
> } else {
> + memset(parg, 0, n);
This could possibly be moved with the #if block by making it cover the
whole switch, but I don't think this code path will be hit when cmd
isn't one of the values handled below, so it shouldn't matter.
Reviewed-by: Laurent Pinchart <laurent.pinchart@...asonboard.com>
> switch (cmd) {
> #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME)
> case VIDIOC_QUERYBUF_TIME32:
--
Regards,
Laurent Pinchart
Powered by blists - more mailing lists