lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87ilj65edt.wl-tiwai@suse.de>
Date:   Wed, 23 Nov 2022 08:17:02 +0100
From:   Takashi Iwai <tiwai@...e.de>
To:     butt3rflyh4ck <butterflyhuangxx@...il.com>
Cc:     perex@...ex.cz, tiwai@...e.com, baolin.wang@...ux.alibaba.com,
        alsa-devel@...a-project.org, linux-kernel@...r.kernel.org
Subject: Re: [RESEND PATCH] ALSA: rawmidi: fix infoleak in snd_rawmidi_ioctl_status_compat64

On Wed, 23 Nov 2022 08:06:16 +0100,
butt3rflyh4ck wrote:
> 
> Hi, the compat_status structure is struct compat_snd_rawmidi_status64 {
> s32 stream;
> u8 rsvd[4]; /* alignment */
> s64 tstamp_sec;
> s64 tstamp_nsec;
> u32 avail;
> u32 xruns;
> unsigned char reserved[16];
> } __attribute__((packed));
> The rsvd[4] and reserved[16] are not  initialized.

Other members are initialized with zero.
  https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html


Takashi

> 
> 
> Regards,
>  butt3rflyh4ck.
> 
> On Wed, Nov 23, 2022 at 2:55 PM Takashi Iwai <tiwai@...e.de> wrote:
> >
> > On Wed, 23 Nov 2022 06:09:11 +0100,
> > Xiaolong Huang wrote:
> > >
> > > The compat_status is declared off of the stack, so it needs to
> > > be zeroed out before copied back to userspace to prevent any
> > > unintentional data leakage.
> > >
> > > Fixes: d9e5582c4bb2 ("ALSA: Avoid using timespec for struct snd_rawmidi_status")
> > > Signed-off-by: Xiaolong Huang <butterflyhuangxx@...il.com>
> > >
> > > ---
> > >
> > > Reason for resend:
> > > 1. add Fixes line.
> > > ---
> > >  sound/core/rawmidi_compat.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/sound/core/rawmidi_compat.c b/sound/core/rawmidi_compat.c
> > > index 68a93443583c..6afa68165b17 100644
> > > --- a/sound/core/rawmidi_compat.c
> > > +++ b/sound/core/rawmidi_compat.c
> > > @@ -80,6 +80,7 @@ static int snd_rawmidi_ioctl_status_compat64(struct snd_rawmidi_file *rfile,
> > >       if (err < 0)
> > >               return err;
> > >
> > > +     memset(&compat_status, 0, sizeof(compat_status));
> > >       compat_status = (struct compat_snd_rawmidi_status64) {
> > >               .stream = status.stream,
> > >               .tstamp_sec = status.tstamp_sec,
> >
> > Here at the line just after your addition, compat_status is fully
> > initialized by substitution, so I believe the memset is superfluous.
> >
> > Or have you verified that it really leaks the uninitialized memory?
> >
> >
> > thanks,
> >
> > Takashi
> 
> 
> 
> -- 
> Active Defense Lab of Venustech
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ