All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23  6:22 ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23  6:22 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

The issue here is that struct input_event_compat has a hole in it.

struct input_event_compat {
        struct compat_timeval {
        } time;                             /*     0     0 */

        /* XXX 8 bytes hole, try to pack */

        short unsigned int         type;    /*     8     2 */


Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
index e46a867..007850a 100644
--- a/drivers/input/input-compat.c
+++ b/drivers/input/input-compat.c
@@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
 	if (INPUT_COMPAT_TEST) {
 		struct input_event_compat compat_event;
 
+		memset(&compat_event, 0, sizeof(compat_event));
+
 		compat_event.time.tv_sec = event->time.tv_sec;
 		compat_event.time.tv_usec = event->time.tv_usec;
 		compat_event.type = event->type;

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23  6:22 ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23  6:22 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors

Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.

The issue here is that struct input_event_compat has a hole in it.

struct input_event_compat {
        struct compat_timeval {
        } time;                             /*     0     0 */

        /* XXX 8 bytes hole, try to pack */

        short unsigned int         type;    /*     8     2 */


Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
index e46a867..007850a 100644
--- a/drivers/input/input-compat.c
+++ b/drivers/input/input-compat.c
@@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
 	if (INPUT_COMPAT_TEST) {
 		struct input_event_compat compat_event;
 
+		memset(&compat_event, 0, sizeof(compat_event));
+
 		compat_event.time.tv_sec = event->time.tv_sec;
 		compat_event.time.tv_usec = event->time.tv_usec;
 		compat_event.type = event->type;

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
  2011-09-23  6:22 ` Dan Carpenter
@ 2011-09-23  7:29   ` Dmitry Torokhov
  -1 siblings, 0 replies; 6+ messages in thread
From: Dmitry Torokhov @ 2011-09-23  7:29 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linux-input, kernel-janitors

On Fri, Sep 23, 2011 at 09:22:07AM +0300, Dan Carpenter wrote:
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
> 
> The issue here is that struct input_event_compat has a hole in it.
> 
> struct input_event_compat {
>         struct compat_timeval {
>         } time;                             /*     0     0 */
> 
>         /* XXX 8 bytes hole, try to pack */
> 
>         short unsigned int         type;    /*     8     2 */

Hm, are you sure? 8-bytes is way too much. I'd expect type to be aligned
on 2-byte boundary, at least on x86_64...

> 
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
> index e46a867..007850a 100644
> --- a/drivers/input/input-compat.c
> +++ b/drivers/input/input-compat.c
> @@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
>  	if (INPUT_COMPAT_TEST) {
>  		struct input_event_compat compat_event;
>  
> +		memset(&compat_event, 0, sizeof(compat_event));
> +
>  		compat_event.time.tv_sec = event->time.tv_sec;
>  		compat_event.time.tv_usec = event->time.tv_usec;
>  		compat_event.type = event->type;

-- 
Dmitry

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23  7:29   ` Dmitry Torokhov
  0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Torokhov @ 2011-09-23  7:29 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linux-input, kernel-janitors

On Fri, Sep 23, 2011 at 09:22:07AM +0300, Dan Carpenter wrote:
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
> 
> The issue here is that struct input_event_compat has a hole in it.
> 
> struct input_event_compat {
>         struct compat_timeval {
>         } time;                             /*     0     0 */
> 
>         /* XXX 8 bytes hole, try to pack */
> 
>         short unsigned int         type;    /*     8     2 */

Hm, are you sure? 8-bytes is way too much. I'd expect type to be aligned
on 2-byte boundary, at least on x86_64...

> 
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
> index e46a867..007850a 100644
> --- a/drivers/input/input-compat.c
> +++ b/drivers/input/input-compat.c
> @@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
>  	if (INPUT_COMPAT_TEST) {
>  		struct input_event_compat compat_event;
>  
> +		memset(&compat_event, 0, sizeof(compat_event));
> +
>  		compat_event.time.tv_sec = event->time.tv_sec;
>  		compat_event.time.tv_usec = event->time.tv_usec;
>  		compat_event.type = event->type;

-- 
Dmitry

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
  2011-09-23  6:22 ` Dan Carpenter
@ 2011-09-23  7:31   ` Dan Carpenter
  -1 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23  7:31 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors

Sorry for the noise.  This is wrong.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23  7:31   ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23  7:31 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors

Sorry for the noise.  This is wrong.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-09-23  7:33 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-23  6:22 [patch] Input: potential info leak in input_event_to_user() Dan Carpenter
2011-09-23  6:22 ` Dan Carpenter
2011-09-23  7:29 ` Dmitry Torokhov
2011-09-23  7:29   ` Dmitry Torokhov
2011-09-23  7:31 ` Dan Carpenter
2011-09-23  7:31   ` Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.