From: Peilin Ye <yepeilin.cs@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-kernel-mentees@lists.linuxfoundation.org,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>
Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user()
Date: Tue, 28 Jul 2020 09:13:28 -0400 [thread overview]
Message-ID: <20200728131328.GA410244@PWN> (raw)
In-Reply-To: <20200728094707.GF2571@kadam>
On Tue, Jul 28, 2020 at 12:47:07PM +0300, Dan Carpenter wrote:
> On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote:
> > On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags')
> >
> > (Removed some Cc: recipients from the list.)
> >
> > I'm not very sure, but I think this one is also a false positive.
>
> No, it's a potential bug. You're over thinking what Smatch is
> complaining about. Arnd is right.
>
> 3123 static int raw_cmd_copyout(int cmd, void __user *param,
> 3124 struct floppy_raw_cmd *ptr)
> 3125 {
> 3126 int ret;
> 3127
> 3128 while (ptr) {
> 3129 struct floppy_raw_cmd cmd = *ptr;
> ^^^^^^^^^^
> The compiler can either do this assignment as an memcpy() or as a
> series of struct member assignments. So the assignment can leave the
> struct hole uninitialized.
I see, I didn't realize this line could cause the issue. Thank you for
pointing this out, I will do this then send a patch:
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 09079aee8dc4..398c261fd174 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3126,7 +3126,8 @@ static int raw_cmd_copyout(int cmd, void __user *param,
int ret;
while (ptr) {
- struct floppy_raw_cmd cmd = *ptr;
+ struct floppy_raw_cmd cmd;
+ memcpy(&cmd, ptr, sizeof(cmd));
cmd.next = NULL;
cmd.kernel_data = NULL;
ret = copy_to_user(param, &cmd, sizeof(cmd));
Thank you,
Peilin Ye
> 3130 cmd.next = NULL;
> 3131 cmd.kernel_data = NULL;
> 3132 ret = copy_to_user(param, &cmd, sizeof(cmd));
> ^^^^
> potential info leak.
>
> 3133 if (ret)
> 3134 return -EFAULT;
> 3135 param += sizeof(struct floppy_raw_cmd);
> 3136 if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) {
> 3137 if (ptr->length >= 0 &&
> 3138 ptr->length <= ptr->buffer_length) {
> 3139 long length = ptr->buffer_length - ptr->length;
> 3140 ret = fd_copyout(ptr->data, ptr->kernel_data,
> 3141 length);
> 3142 if (ret)
> 3143 return ret;
> 3144 }
> 3145 }
> 3146 ptr = ptr->next;
> 3147 }
> 3148
> 3149 return 0;
> 3150 }
>
> regards,
> dan carpenter
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2020-07-28 13:13 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-26 16:44 [Linux-kernel-mentees] [PATCH] media/v4l2-core: Fix kernel-infoleak in video_put_user() Peilin Ye
2020-07-26 17:30 ` Laurent Pinchart
2020-07-26 18:07 ` Peilin Ye
2020-07-26 22:08 ` Laurent Pinchart
2020-07-26 22:15 ` Peilin Ye
2020-07-26 18:12 ` Peilin Ye
2020-07-26 22:05 ` [Linux-kernel-mentees] [PATCH v2] " Peilin Ye
2020-07-26 22:10 ` Laurent Pinchart
2020-07-26 22:16 ` Peilin Ye
2020-07-26 22:27 ` [Linux-kernel-mentees] [PATCH v3] " Peilin Ye
2020-07-27 7:25 ` Arnd Bergmann
2020-07-27 7:56 ` Peilin Ye
2020-07-27 13:16 ` Dan Carpenter
2020-07-27 14:05 ` Arnd Bergmann
2020-07-27 14:14 ` Peilin Ye
2020-07-27 14:20 ` Arnd Bergmann
2020-07-27 14:46 ` Dan Carpenter
2020-07-27 15:30 ` Peilin Ye
2020-07-27 14:43 ` Dan Carpenter
2020-07-27 14:55 ` Arnd Bergmann
2020-07-27 22:04 ` Peilin Ye
2020-07-28 9:00 ` Arnd Bergmann
2020-07-28 10:02 ` Dan Carpenter
2020-07-27 22:33 ` Peilin Ye
2020-07-28 9:10 ` Arnd Bergmann
2020-07-28 9:47 ` Dan Carpenter
2020-07-28 13:13 ` Peilin Ye [this message]
2020-07-28 12:22 ` Linus Walleij
2020-07-28 13:06 ` Dan Carpenter
2020-07-28 13:58 ` Arnd Bergmann
2020-07-30 8:07 ` Bartosz Golaszewski
2020-07-30 8:15 ` Arnd Bergmann
2020-07-30 8:38 ` Andy Shevchenko
2020-07-30 9:18 ` Arnd Bergmann
2020-07-30 11:48 ` Andy Shevchenko
2020-07-30 13:49 ` Arnd Bergmann
2020-08-02 16:55 ` Peilin Ye
2020-07-27 8:00 ` [Linux-kernel-mentees] [PATCH v4] " Peilin Ye
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200728131328.GA410244@PWN \
--to=yepeilin.cs@gmail.com \
--cc=arnd@arndb.de \
--cc=dan.carpenter@oracle.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).