* [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
@ 2020-07-27 21:02 ` Peilin Ye
0 siblings, 0 replies; 8+ messages in thread
From: Peilin Ye @ 2020-07-27 21:02 UTC (permalink / raw)
To: Kashyap Desai, Sumit Saxena
Cc: Peilin Ye, Dan Carpenter, Arnd Bergmann, Greg Kroah-Hartman,
Shivasharan S, James E.J. Bottomley, Martin K. Petersen,
linux-kernel-mentees, megaraidlinux.pdl, linux-scsi,
linux-kernel
hinfo_to_cinfo() does no operation on `cinfo` when `hinfo` is NULL,
causing kioc_to_mimd() to copy uninitialized stack memory to userspace.
Fix it by initializing `cinfo` with memset().
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
drivers/scsi/megaraid/megaraid_mm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c
index 8df53446641a..9df0e6b253a8 100644
--- a/drivers/scsi/megaraid/megaraid_mm.c
+++ b/drivers/scsi/megaraid/megaraid_mm.c
@@ -816,6 +816,8 @@ kioc_to_mimd(uioc_t *kioc, mimd_t __user *mimd)
case MEGAIOC_QADAPINFO:
+ memset(&cinfo, 0, sizeof(cinfo));
+
hinfo = (mraid_hba_info_t *)(unsigned long)
kioc->buf_vaddr;
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
@ 2020-07-27 21:02 ` Peilin Ye
0 siblings, 0 replies; 8+ messages in thread
From: Peilin Ye @ 2020-07-27 21:02 UTC (permalink / raw)
To: Kashyap Desai, Sumit Saxena
Cc: Martin K. Petersen, Arnd Bergmann, Shivasharan S,
James E.J. Bottomley, linux-kernel, megaraidlinux.pdl,
linux-scsi, linux-kernel-mentees, Peilin Ye, Dan Carpenter
hinfo_to_cinfo() does no operation on `cinfo` when `hinfo` is NULL,
causing kioc_to_mimd() to copy uninitialized stack memory to userspace.
Fix it by initializing `cinfo` with memset().
Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
drivers/scsi/megaraid/megaraid_mm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c
index 8df53446641a..9df0e6b253a8 100644
--- a/drivers/scsi/megaraid/megaraid_mm.c
+++ b/drivers/scsi/megaraid/megaraid_mm.c
@@ -816,6 +816,8 @@ kioc_to_mimd(uioc_t *kioc, mimd_t __user *mimd)
case MEGAIOC_QADAPINFO:
+ memset(&cinfo, 0, sizeof(cinfo));
+
hinfo = (mraid_hba_info_t *)(unsigned long)
kioc->buf_vaddr;
--
2.25.1
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
2020-07-27 21:02 ` Peilin Ye
@ 2020-07-28 8:41 ` Dan Carpenter
-1 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2020-07-28 8:41 UTC (permalink / raw)
To: Peilin Ye
Cc: Kashyap Desai, Sumit Saxena, Arnd Bergmann, Greg Kroah-Hartman,
Shivasharan S, James E.J. Bottomley, Martin K. Petersen,
linux-kernel-mentees, megaraidlinux.pdl, linux-scsi,
linux-kernel
On Mon, Jul 27, 2020 at 05:02:35PM -0400, Peilin Ye wrote:
> hinfo_to_cinfo() does no operation on `cinfo` when `hinfo` is NULL,
> causing kioc_to_mimd() to copy uninitialized stack memory to userspace.
> Fix it by initializing `cinfo` with memset().
But "hinfo" can't be NULL so this patch isn't required. It's a bit
hard for Smatch to follow the code.
We know that "opcode" is 82 so the buffer is allocated by mimd_to_kioc()
-> mraid_mm_attach_buf().
Generally, don't silence static checker warnings unless it makes the
code more readable. It's the checker writer's job to fix their own code.
In this case, that's me, but parsing the code is quite complicated and I
don't have a plan for how to fix it.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
@ 2020-07-28 8:41 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2020-07-28 8:41 UTC (permalink / raw)
To: Peilin Ye
Cc: Martin K. Petersen, Arnd Bergmann, Shivasharan S,
James E.J. Bottomley, linux-kernel, Kashyap Desai, Sumit Saxena,
linux-scsi, linux-kernel-mentees, megaraidlinux.pdl
On Mon, Jul 27, 2020 at 05:02:35PM -0400, Peilin Ye wrote:
> hinfo_to_cinfo() does no operation on `cinfo` when `hinfo` is NULL,
> causing kioc_to_mimd() to copy uninitialized stack memory to userspace.
> Fix it by initializing `cinfo` with memset().
But "hinfo" can't be NULL so this patch isn't required. It's a bit
hard for Smatch to follow the code.
We know that "opcode" is 82 so the buffer is allocated by mimd_to_kioc()
-> mraid_mm_attach_buf().
Generally, don't silence static checker warnings unless it makes the
code more readable. It's the checker writer's job to fix their own code.
In this case, that's me, but parsing the code is quite complicated and I
don't have a plan for how to fix it.
regards,
dan carpenter
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
2020-07-28 8:41 ` Dan Carpenter
@ 2020-07-28 8:57 ` Dan Carpenter
-1 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2020-07-28 8:57 UTC (permalink / raw)
To: Peilin Ye
Cc: Kashyap Desai, Sumit Saxena, Arnd Bergmann, Greg Kroah-Hartman,
Shivasharan S, James E.J. Bottomley, Martin K. Petersen,
linux-kernel-mentees, megaraidlinux.pdl, linux-scsi,
linux-kernel
On Tue, Jul 28, 2020 at 11:41:37AM +0300, Dan Carpenter wrote:
> Generally, don't silence static checker warnings unless it makes the
> code more readable. It's the checker writer's job to fix their own code.
> In this case, that's me, but parsing the code is quite complicated and I
> don't have a plan for how to fix it.
Actually, looking at this some more, it's not so complicated. By this
time next year hopefully this warning will be silenced.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
@ 2020-07-28 8:57 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2020-07-28 8:57 UTC (permalink / raw)
To: Peilin Ye
Cc: Martin K. Petersen, Arnd Bergmann, Shivasharan S,
James E.J. Bottomley, linux-kernel, Kashyap Desai, Sumit Saxena,
linux-scsi, linux-kernel-mentees, megaraidlinux.pdl
On Tue, Jul 28, 2020 at 11:41:37AM +0300, Dan Carpenter wrote:
> Generally, don't silence static checker warnings unless it makes the
> code more readable. It's the checker writer's job to fix their own code.
> In this case, that's me, but parsing the code is quite complicated and I
> don't have a plan for how to fix it.
Actually, looking at this some more, it's not so complicated. By this
time next year hopefully this warning will be silenced.
regards,
dan carpenter
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
2020-07-28 8:41 ` Dan Carpenter
@ 2020-07-28 10:57 ` Peilin Ye
-1 siblings, 0 replies; 8+ messages in thread
From: Peilin Ye @ 2020-07-28 10:57 UTC (permalink / raw)
To: Dan Carpenter
Cc: Kashyap Desai, Sumit Saxena, Arnd Bergmann, Greg Kroah-Hartman,
Shivasharan S, James E.J. Bottomley, Martin K. Petersen,
linux-kernel-mentees, megaraidlinux.pdl, linux-scsi,
linux-kernel
On Tue, Jul 28, 2020 at 11:41:37AM +0300, Dan Carpenter wrote:
> On Mon, Jul 27, 2020 at 05:02:35PM -0400, Peilin Ye wrote:
> > hinfo_to_cinfo() does no operation on `cinfo` when `hinfo` is NULL,
> > causing kioc_to_mimd() to copy uninitialized stack memory to userspace.
> > Fix it by initializing `cinfo` with memset().
>
> But "hinfo" can't be NULL so this patch isn't required. It's a bit
> hard for Smatch to follow the code.
>
> We know that "opcode" is 82 so the buffer is allocated by mimd_to_kioc()
> -> mraid_mm_attach_buf().
You are right. mraid_mm_ioctl() returns -ENOMEM and never reaches
kioc_to_mimd() if mraid_mm_attach_buf() failed to get a buffer, so
`hinfo` can never be NULL for kioc_to_mimd().
Next time I will trace the data flow more carefully. Thank you for
pointing this out!
Peilin Ye
> Generally, don't silence static checker warnings unless it makes the
> code more readable. It's the checker writer's job to fix their own code.
> In this case, that's me, but parsing the code is quite complicated and I
> don't have a plan for how to fix it.
>
> regards,
> dan carpenter
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd()
@ 2020-07-28 10:57 ` Peilin Ye
0 siblings, 0 replies; 8+ messages in thread
From: Peilin Ye @ 2020-07-28 10:57 UTC (permalink / raw)
To: Dan Carpenter
Cc: Martin K. Petersen, Arnd Bergmann, Shivasharan S,
James E.J. Bottomley, linux-kernel, Kashyap Desai, Sumit Saxena,
linux-scsi, linux-kernel-mentees, megaraidlinux.pdl
On Tue, Jul 28, 2020 at 11:41:37AM +0300, Dan Carpenter wrote:
> On Mon, Jul 27, 2020 at 05:02:35PM -0400, Peilin Ye wrote:
> > hinfo_to_cinfo() does no operation on `cinfo` when `hinfo` is NULL,
> > causing kioc_to_mimd() to copy uninitialized stack memory to userspace.
> > Fix it by initializing `cinfo` with memset().
>
> But "hinfo" can't be NULL so this patch isn't required. It's a bit
> hard for Smatch to follow the code.
>
> We know that "opcode" is 82 so the buffer is allocated by mimd_to_kioc()
> -> mraid_mm_attach_buf().
You are right. mraid_mm_ioctl() returns -ENOMEM and never reaches
kioc_to_mimd() if mraid_mm_attach_buf() failed to get a buffer, so
`hinfo` can never be NULL for kioc_to_mimd().
Next time I will trace the data flow more carefully. Thank you for
pointing this out!
Peilin Ye
> Generally, don't silence static checker warnings unless it makes the
> code more readable. It's the checker writer's job to fix their own code.
> In this case, that's me, but parsing the code is quite complicated and I
> don't have a plan for how to fix it.
>
> regards,
> dan carpenter
>
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-07-28 10:57 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-27 21:02 [Linux-kernel-mentees] [PATCH] scsi/megaraid: Prevent kernel-infoleak in kioc_to_mimd() Peilin Ye
2020-07-27 21:02 ` Peilin Ye
2020-07-28 8:41 ` Dan Carpenter
2020-07-28 8:41 ` Dan Carpenter
2020-07-28 8:57 ` Dan Carpenter
2020-07-28 8:57 ` Dan Carpenter
2020-07-28 10:57 ` Peilin Ye
2020-07-28 10:57 ` Peilin Ye
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.