* [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23 6:22 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 6:22 UTC (permalink / raw)
To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The issue here is that struct input_event_compat has a hole in it.
struct input_event_compat {
struct compat_timeval {
} time; /* 0 0 */
/* XXX 8 bytes hole, try to pack */
short unsigned int type; /* 8 2 */
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
index e46a867..007850a 100644
--- a/drivers/input/input-compat.c
+++ b/drivers/input/input-compat.c
@@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
if (INPUT_COMPAT_TEST) {
struct input_event_compat compat_event;
+ memset(&compat_event, 0, sizeof(compat_event));
+
compat_event.time.tv_sec = event->time.tv_sec;
compat_event.time.tv_usec = event->time.tv_usec;
compat_event.type = event->type;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23 6:22 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 6:22 UTC (permalink / raw)
To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
The issue here is that struct input_event_compat has a hole in it.
struct input_event_compat {
struct compat_timeval {
} time; /* 0 0 */
/* XXX 8 bytes hole, try to pack */
short unsigned int type; /* 8 2 */
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
index e46a867..007850a 100644
--- a/drivers/input/input-compat.c
+++ b/drivers/input/input-compat.c
@@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
if (INPUT_COMPAT_TEST) {
struct input_event_compat compat_event;
+ memset(&compat_event, 0, sizeof(compat_event));
+
compat_event.time.tv_sec = event->time.tv_sec;
compat_event.time.tv_usec = event->time.tv_usec;
compat_event.type = event->type;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
2011-09-23 6:22 ` Dan Carpenter
@ 2011-09-23 7:29 ` Dmitry Torokhov
-1 siblings, 0 replies; 6+ messages in thread
From: Dmitry Torokhov @ 2011-09-23 7:29 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-input, kernel-janitors
On Fri, Sep 23, 2011 at 09:22:07AM +0300, Dan Carpenter wrote:
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
>
> The issue here is that struct input_event_compat has a hole in it.
>
> struct input_event_compat {
> struct compat_timeval {
> } time; /* 0 0 */
>
> /* XXX 8 bytes hole, try to pack */
>
> short unsigned int type; /* 8 2 */
Hm, are you sure? 8-bytes is way too much. I'd expect type to be aligned
on 2-byte boundary, at least on x86_64...
>
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
> index e46a867..007850a 100644
> --- a/drivers/input/input-compat.c
> +++ b/drivers/input/input-compat.c
> @@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
> if (INPUT_COMPAT_TEST) {
> struct input_event_compat compat_event;
>
> + memset(&compat_event, 0, sizeof(compat_event));
> +
> compat_event.time.tv_sec = event->time.tv_sec;
> compat_event.time.tv_usec = event->time.tv_usec;
> compat_event.type = event->type;
--
Dmitry
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23 7:29 ` Dmitry Torokhov
0 siblings, 0 replies; 6+ messages in thread
From: Dmitry Torokhov @ 2011-09-23 7:29 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-input, kernel-janitors
On Fri, Sep 23, 2011 at 09:22:07AM +0300, Dan Carpenter wrote:
> Smatch has a new check for Rosenberg type information leaks where
> structs are copied to the user with uninitialized stack data in them.
>
> The issue here is that struct input_event_compat has a hole in it.
>
> struct input_event_compat {
> struct compat_timeval {
> } time; /* 0 0 */
>
> /* XXX 8 bytes hole, try to pack */
>
> short unsigned int type; /* 8 2 */
Hm, are you sure? 8-bytes is way too much. I'd expect type to be aligned
on 2-byte boundary, at least on x86_64...
>
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/input/input-compat.c b/drivers/input/input-compat.c
> index e46a867..007850a 100644
> --- a/drivers/input/input-compat.c
> +++ b/drivers/input/input-compat.c
> @@ -44,6 +44,8 @@ int input_event_to_user(char __user *buffer,
> if (INPUT_COMPAT_TEST) {
> struct input_event_compat compat_event;
>
> + memset(&compat_event, 0, sizeof(compat_event));
> +
> compat_event.time.tv_sec = event->time.tv_sec;
> compat_event.time.tv_usec = event->time.tv_usec;
> compat_event.type = event->type;
--
Dmitry
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
2011-09-23 6:22 ` Dan Carpenter
@ 2011-09-23 7:31 ` Dan Carpenter
-1 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 7:31 UTC (permalink / raw)
To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors
Sorry for the noise. This is wrong.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [patch] Input: potential info leak in input_event_to_user()
@ 2011-09-23 7:31 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2011-09-23 7:31 UTC (permalink / raw)
To: Dmitry Torokhov; +Cc: linux-input, kernel-janitors
Sorry for the noise. This is wrong.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-09-23 7:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-23 6:22 [patch] Input: potential info leak in input_event_to_user() Dan Carpenter
2011-09-23 6:22 ` Dan Carpenter
2011-09-23 7:29 ` Dmitry Torokhov
2011-09-23 7:29 ` Dmitry Torokhov
2011-09-23 7:31 ` Dan Carpenter
2011-09-23 7:31 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.