| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210728085921.GV5047@twin.jikos.cz>
Date: Wed, 28 Jul 2021 10:59:22 +0200
From: David Sterba <dsterba@...e.cz>
To: Kees Cook <keescook@...omium.org>
Cc: linux-hardening@...r.kernel.org,
"Gustavo A. R. Silva" <gustavoars@...nel.org>,
Keith Packard <keithpac@...zon.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
netdev@...r.kernel.org, dri-devel@...ts.freedesktop.org,
linux-staging@...ts.linux.dev, linux-block@...r.kernel.org,
linux-kbuild@...r.kernel.org, clang-built-linux@...glegroups.com,
nborisov@...e.com
Subject: Re: [PATCH 01/64] media: omap3isp: Extract struct group for memcpy()
region
On Tue, Jul 27, 2021 at 01:57:52PM -0700, Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields. Wrap the target region
> in a common named structure. This additionally fixes a theoretical
> misalignment of the copy (since the size of "buf" changes between 64-bit
> and 32-bit, but this is likely never built for 64-bit).
>
> FWIW, I think this code is totally broken on 64-bit (which appears to
> not be a "real" build configuration): it would either always fail (with
> an uninitialized data->buf_size) or would cause corruption in userspace
> due to the copy_to_user() in the call path against an uninitialized
> data->buf value:
>
> omap3isp_stat_request_statistics_time32(...)
> struct omap3isp_stat_data data64;
> ...
> omap3isp_stat_request_statistics(stat, &data64);
>
> int omap3isp_stat_request_statistics(struct ispstat *stat,
> struct omap3isp_stat_data *data)
> ...
> buf = isp_stat_buf_get(stat, data);
>
> static struct ispstat_buffer *isp_stat_buf_get(struct ispstat *stat,
> struct omap3isp_stat_data *data)
> ...
> if (buf->buf_size > data->buf_size) {
> ...
> return ERR_PTR(-EINVAL);
> }
> ...
> rval = copy_to_user(data->buf,
> buf->virt_addr,
> buf->buf_size);
>
> Regardless, additionally initialize data64 to be zero-filled to avoid
> undefined behavior.
>
> Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data")
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> drivers/media/platform/omap3isp/ispstat.c | 5 +--
> include/uapi/linux/omap3isp.h | 44 +++++++++++++++++------
> 2 files changed, 36 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/media/platform/omap3isp/ispstat.c b/drivers/media/platform/omap3isp/ispstat.c
> index 5b9b57f4d9bf..ea8222fed38e 100644
> --- a/drivers/media/platform/omap3isp/ispstat.c
> +++ b/drivers/media/platform/omap3isp/ispstat.c
> @@ -512,7 +512,7 @@ int omap3isp_stat_request_statistics(struct ispstat *stat,
> int omap3isp_stat_request_statistics_time32(struct ispstat *stat,
> struct omap3isp_stat_data_time32 *data)
> {
> - struct omap3isp_stat_data data64;
> + struct omap3isp_stat_data data64 = { };
Should this be { 0 } ?
We've seen patches trying to switch from { 0 } to { } but the answer
was that { 0 } is supposed to be used,
http://www.ex-parrot.com/~chris/random/initialise.html
(from https://lore.kernel.org/lkml/fbddb15a-6e46-3f21-23ba-b18f66e3448a@suse.com/)
Powered by blists - more mailing lists