| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250120143719.GN674319@ziepe.ca>
Date: Mon, 20 Jan 2025 10:37:19 -0400
From: Jason Gunthorpe <jgg@...pe.ca>
To: Nicolin Chen <nicolinc@...dia.com>
Cc: kevin.tian@...el.com, baolu.lu@...ux.intel.com, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH rc v2] iommufd: Explicitize struct iommu_hwpt_pgfault
padding
On Sun, Jan 19, 2025 at 10:24:11PM -0800, Nicolin Chen wrote:
> --- a/drivers/iommu/iommufd/fault.c
> +++ b/drivers/iommu/iommufd/fault.c
> @@ -253,6 +253,7 @@ static void iommufd_compose_fault_message(struct iommu_fault *fault,
> hwpt_fault->pasid = fault->prm.pasid;
> hwpt_fault->grpid = fault->prm.grpid;
> hwpt_fault->perm = fault->prm.perm;
> + hwpt_fault->__reserved = 0;
> hwpt_fault->addr = fault->prm.addr;
> hwpt_fault->length = 0;
> hwpt_fault->cookie = cookie;
Yikes, so it was leaking kernel stack memory through the padding too.
We should zero init the stack struct to be safe:
@@ -247,7 +247,7 @@ static ssize_t iommufd_fault_fops_read(struct file *filep, char __user *buf,
{
size_t fault_size = sizeof(struct iommu_hwpt_pgfault);
struct iommufd_fault *fault = filep->private_data;
- struct iommu_hwpt_pgfault data;
+ struct iommu_hwpt_pgfault data = {};
struct iommufd_device *idev;
struct iopf_group *group;
struct iopf_fault *iopf;
I can fix it up if that is the only change
Jason
Powered by blists - more mailing lists