linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Peilin Ye <yepeilin.cs@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel-mentees@lists.linuxfoundation.org,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user()
Date: Tue, 28 Jul 2020 12:47:07 +0300	[thread overview]
Message-ID: <20200728094707.GF2571@kadam> (raw)
In-Reply-To: <20200727223357.GA329006@PWN>

On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote:
> On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags')
> 
> (Removed some Cc: recipients from the list.)
> 
> I'm not very sure, but I think this one is also a false positive.

No, it's a potential bug.  You're over thinking what Smatch is
complaining about.  Arnd is right.

  3123  static int raw_cmd_copyout(int cmd, void __user *param,
  3124                                    struct floppy_raw_cmd *ptr)
  3125  {
  3126          int ret;
  3127  
  3128          while (ptr) {
  3129                  struct floppy_raw_cmd cmd = *ptr;
                                              ^^^^^^^^^^
The compiler can either do this assignment as an memcpy() or as a
series of struct member assignments.  So the assignment can leave the
struct hole uninitialized.

  3130                  cmd.next = NULL;
  3131                  cmd.kernel_data = NULL;
  3132                  ret = copy_to_user(param, &cmd, sizeof(cmd));
                                                  ^^^^
potential info leak.

  3133                  if (ret)
  3134                          return -EFAULT;
  3135                  param += sizeof(struct floppy_raw_cmd);
  3136                  if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) {
  3137                          if (ptr->length >= 0 &&
  3138                              ptr->length <= ptr->buffer_length) {
  3139                                  long length = ptr->buffer_length - ptr->length;
  3140                                  ret = fd_copyout(ptr->data, ptr->kernel_data,
  3141                                                   length);
  3142                                  if (ret)
  3143                                          return ret;
  3144                          }
  3145                  }
  3146                  ptr = ptr->next;
  3147          }
  3148  
  3149          return 0;
  3150  }

regards,
dan carpenter

  parent reply	other threads:[~2020-07-28  9:49 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-26 16:44 [Linux-kernel-mentees] [PATCH] media/v4l2-core: Fix kernel-infoleak in video_put_user() Peilin Ye
2020-07-26 17:30 ` Laurent Pinchart
2020-07-26 18:07   ` Peilin Ye
2020-07-26 22:08     ` Laurent Pinchart
2020-07-26 22:15       ` Peilin Ye
2020-07-26 18:12   ` Peilin Ye
2020-07-26 22:05 ` [Linux-kernel-mentees] [PATCH v2] " Peilin Ye
2020-07-26 22:10   ` Laurent Pinchart
2020-07-26 22:16     ` Peilin Ye
2020-07-26 22:27   ` [Linux-kernel-mentees] [PATCH v3] " Peilin Ye
2020-07-27  7:25     ` Arnd Bergmann
2020-07-27  7:56       ` Peilin Ye
2020-07-27 13:16       ` Dan Carpenter
2020-07-27 14:05         ` Arnd Bergmann
2020-07-27 14:14           ` Peilin Ye
2020-07-27 14:20             ` Arnd Bergmann
2020-07-27 14:46             ` Dan Carpenter
2020-07-27 15:30               ` Peilin Ye
2020-07-27 14:43           ` Dan Carpenter
2020-07-27 14:55             ` Arnd Bergmann
2020-07-27 22:04         ` Peilin Ye
2020-07-28  9:00           ` Arnd Bergmann
2020-07-28 10:02           ` Dan Carpenter
2020-07-27 22:33         ` Peilin Ye
2020-07-28  9:10           ` Arnd Bergmann
2020-07-28  9:47           ` Dan Carpenter [this message]
2020-07-28 13:13             ` Peilin Ye
2020-07-28 12:22         ` Linus Walleij
2020-07-28 13:06           ` Dan Carpenter
2020-07-28 13:58             ` Arnd Bergmann
2020-07-30  8:07               ` Bartosz Golaszewski
2020-07-30  8:15                 ` Arnd Bergmann
2020-07-30  8:38                   ` Andy Shevchenko
2020-07-30  9:18                     ` Arnd Bergmann
2020-07-30 11:48                       ` Andy Shevchenko
2020-07-30 13:49                         ` Arnd Bergmann
2020-08-02 16:55         ` Peilin Ye
2020-07-27  8:00     ` [Linux-kernel-mentees] [PATCH v4] " Peilin Ye

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200728094707.GF2571@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=arnd@arndb.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=yepeilin.cs@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).