From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CC45C433DF for ; Fri, 31 Jul 2020 06:53:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 16E892084D for ; Fri, 31 Jul 2020 06:53:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596178417; bh=fNT75IpsFv23vL5vXayzc9tXmlPArXQFzFYd85vUNc4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=McNb3YqMXPlAjMzOJRMD3EMNwoV/1NC/aZdm0qfBYPutu4WynyMv53G2bPvqzcshs Z15P6/FPjer4uIPQogsoB9uXoVm9AqynoksmGA9OTyTkHesiHu+cMBRMBnYRXpq2vZ 4CHCfZ/49o5VRrnazvAV4pY2+C0JMCNauD055F0E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731432AbgGaGxf (ORCPT ); Fri, 31 Jul 2020 02:53:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:59280 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731224AbgGaGxf (ORCPT ); Fri, 31 Jul 2020 02:53:35 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 000FD207F5; Fri, 31 Jul 2020 06:53:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596178414; bh=fNT75IpsFv23vL5vXayzc9tXmlPArXQFzFYd85vUNc4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=wHsdC/0fAKiD9YbaIfsbFj8p03yJkr9qnBoWo/Ix5UbCr1RLfihp7pEzhGtHbguq1 /+FDpBO2nfeS+ZtSS/W9SOgSdCKVKLvWJj7x0Qj3xcRhHThBaXQK9DVnnYL5tnK/Bu baaUYQoJUnWUKqyyFkdRXWivQ8nvj9uuW3vAVtas= Date: Fri, 31 Jul 2020 08:53:22 +0200 From: Greg Kroah-Hartman To: Luben Tuikov Cc: Alex Deucher , Christian Koenig , Xiaojie Yuan , Thomas Zimmermann , Arnd Bergmann , David Airlie , Felix Kuehling , LKML , amd-gfx list , Nicholas Kazlauskas , Marek =?utf-8?B?T2zFocOhaw==?= , Hans de Goede , Trek , Maling list - DRI developers , Daniel Vetter , Alex Deucher , Evan Quan , Leo Liu , Peilin Ye , Dan Carpenter , linux-kernel-mentees@lists.linuxfoundation.org Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Message-ID: <20200731065322.GA1518178@kroah.com> References: <20200728192924.441570-1-yepeilin.cs@gmail.com> <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 30, 2020 at 05:09:07PM -0400, Luben Tuikov wrote: > On 2020-07-29 9:49 a.m., Alex Deucher wrote: > > On Wed, Jul 29, 2020 at 4:11 AM Christian König > > wrote: > >> > >> Am 28.07.20 um 21:29 schrieb Peilin Ye: > >>> Compiler leaves a 4-byte hole near the end of `dev_info`, causing > >>> amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace > >>> when `size` is greater than 356. > >>> > >>> In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which > >>> unfortunately does not initialize that 4-byte hole. Fix it by using > >>> memset() instead. > >>> > >>> Cc: stable@vger.kernel.org > >>> Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") > >>> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > >>> Suggested-by: Dan Carpenter > >>> Signed-off-by: Peilin Ye > >> > >> Reviewed-by: Christian König > >> > >> I can't count how many of those we have fixed over the years. > >> > >> At some point we should probably document that using "= {}" or "= { 0 }" > >> in the kernel is a really bad idea and should be avoided. > > > > Moreover, it seems like different compilers seem to behave relatively > > differently with these and we often get reports of warnings with these > > on clang. When in doubt, memset. > > There are quite a few of those under drivers/gpu/drm, for "amd/", "scheduler/" > drm*.c files, > > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./scheduler/.*\.c" \) -exec egrep -n -- " *= *{ *(|NULL|0) *}" \{\} \+ | wc -l > 374 > $_ > > Out of which only 16 are of the non-ISO C variety, "= {}", > > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./scheduler/.*\.c" \) -exec egrep -n -- " *= *{ *}" \{\} \+ | wc -l > 16 > $_ > > Perhaps the latter are the more pressing ones, since it is a C++ initializer and not a ISO C one. It only matters when we care copying the data to userspace, if it all stays in the kernel, all is fine. thanks, greg k-h From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98933C433E0 for ; Fri, 31 Jul 2020 06:53:39 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 66FE8207F5 for ; Fri, 31 Jul 2020 06:53:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="wHsdC/0f" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 66FE8207F5 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-kernel-mentees-bounces@lists.linuxfoundation.org Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 3E445885E9; Fri, 31 Jul 2020 06:53:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4i8vE1TUZEli; Fri, 31 Jul 2020 06:53:36 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 90B3D885DC; Fri, 31 Jul 2020 06:53:36 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 76AE5C004F; Fri, 31 Jul 2020 06:53:36 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 963BEC004D for ; Fri, 31 Jul 2020 06:53:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 8B5F0885E9 for ; Fri, 31 Jul 2020 06:53:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+PMa-95kSbn for ; Fri, 31 Jul 2020 06:53:34 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by hemlock.osuosl.org (Postfix) with ESMTPS id B9FC9885DC for ; Fri, 31 Jul 2020 06:53:34 +0000 (UTC) Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 000FD207F5; Fri, 31 Jul 2020 06:53:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596178414; bh=fNT75IpsFv23vL5vXayzc9tXmlPArXQFzFYd85vUNc4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=wHsdC/0fAKiD9YbaIfsbFj8p03yJkr9qnBoWo/Ix5UbCr1RLfihp7pEzhGtHbguq1 /+FDpBO2nfeS+ZtSS/W9SOgSdCKVKLvWJj7x0Qj3xcRhHThBaXQK9DVnnYL5tnK/Bu baaUYQoJUnWUKqyyFkdRXWivQ8nvj9uuW3vAVtas= Date: Fri, 31 Jul 2020 08:53:22 +0200 From: Greg Kroah-Hartman To: Luben Tuikov Message-ID: <20200731065322.GA1518178@kroah.com> References: <20200728192924.441570-1-yepeilin.cs@gmail.com> <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> Cc: Daniel Vetter , Arnd Bergmann , David Airlie , linux-kernel-mentees@lists.linuxfoundation.org, Felix Kuehling , LKML , amd-gfx list , Nicholas Kazlauskas , Marek =?utf-8?B?T2zFocOhaw==?= , Hans de Goede , Trek , Maling list - DRI developers , Thomas Zimmermann , Peilin Ye , Alex Deucher , Alex Deucher , Evan Quan , Leo Liu , Christian Koenig , Dan Carpenter , Xiaojie Yuan Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() X-BeenThere: linux-kernel-mentees@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: linux-kernel-mentees-bounces@lists.linuxfoundation.org Sender: "Linux-kernel-mentees" On Thu, Jul 30, 2020 at 05:09:07PM -0400, Luben Tuikov wrote: > On 2020-07-29 9:49 a.m., Alex Deucher wrote: > > On Wed, Jul 29, 2020 at 4:11 AM Christian K=F6nig > > wrote: > >> > >> Am 28.07.20 um 21:29 schrieb Peilin Ye: > >>> Compiler leaves a 4-byte hole near the end of `dev_info`, causing > >>> amdgpu_info_ioctl() to copy uninitialized kernel stack memory to user= space > >>> when `size` is greater than 356. > >>> > >>> In 2015 we tried to fix this issue by doing `=3D {};` on `dev_info`, = which > >>> unfortunately does not initialize that 4-byte hole. Fix it by using > >>> memset() instead. > >>> > >>> Cc: stable@vger.kernel.org > >>> Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioc= tl()") > >>> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > >>> Suggested-by: Dan Carpenter > >>> Signed-off-by: Peilin Ye > >> > >> Reviewed-by: Christian K=F6nig > >> > >> I can't count how many of those we have fixed over the years. > >> > >> At some point we should probably document that using "=3D {}" or "=3D = { 0 }" > >> in the kernel is a really bad idea and should be avoided. > > = > > Moreover, it seems like different compilers seem to behave relatively > > differently with these and we often get reports of warnings with these > > on clang. When in doubt, memset. > = > There are quite a few of those under drivers/gpu/drm, for "amd/", "schedu= ler/" > drm*.c files, > = > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./sch= eduler/.*\.c" \) -exec egrep -n -- " *=3D *{ *(|NULL|0) *}" \{\} \+ | wc -l > 374 > $_ > = > Out of which only 16 are of the non-ISO C variety, "=3D {}", > = > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./sch= eduler/.*\.c" \) -exec egrep -n -- " *=3D *{ *}" \{\} \+ | wc -l > 16 > $_ > = > Perhaps the latter are the more pressing ones, since it is a C++ initiali= zer and not a ISO C one. It only matters when we care copying the data to userspace, if it all stays in the kernel, all is fine. thanks, greg k-h _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47406C433E1 for ; Fri, 31 Jul 2020 06:53:37 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1EE1321883 for ; Fri, 31 Jul 2020 06:53:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="wHsdC/0f" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1EE1321883 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 712E96E9E1; Fri, 31 Jul 2020 06:53:36 +0000 (UTC) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by gabe.freedesktop.org (Postfix) with ESMTPS id AC0116E9E1; Fri, 31 Jul 2020 06:53:34 +0000 (UTC) Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 000FD207F5; Fri, 31 Jul 2020 06:53:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596178414; bh=fNT75IpsFv23vL5vXayzc9tXmlPArXQFzFYd85vUNc4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=wHsdC/0fAKiD9YbaIfsbFj8p03yJkr9qnBoWo/Ix5UbCr1RLfihp7pEzhGtHbguq1 /+FDpBO2nfeS+ZtSS/W9SOgSdCKVKLvWJj7x0Qj3xcRhHThBaXQK9DVnnYL5tnK/Bu baaUYQoJUnWUKqyyFkdRXWivQ8nvj9uuW3vAVtas= Date: Fri, 31 Jul 2020 08:53:22 +0200 From: Greg Kroah-Hartman To: Luben Tuikov Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Message-ID: <20200731065322.GA1518178@kroah.com> References: <20200728192924.441570-1-yepeilin.cs@gmail.com> <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Arnd Bergmann , David Airlie , linux-kernel-mentees@lists.linuxfoundation.org, Felix Kuehling , LKML , amd-gfx list , Nicholas Kazlauskas , Marek =?utf-8?B?T2zFocOhaw==?= , Hans de Goede , Trek , Maling list - DRI developers , Thomas Zimmermann , Peilin Ye , Alex Deucher , Evan Quan , Leo Liu , Christian Koenig , Dan Carpenter , Xiaojie Yuan Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" On Thu, Jul 30, 2020 at 05:09:07PM -0400, Luben Tuikov wrote: > On 2020-07-29 9:49 a.m., Alex Deucher wrote: > > On Wed, Jul 29, 2020 at 4:11 AM Christian K=F6nig > > wrote: > >> > >> Am 28.07.20 um 21:29 schrieb Peilin Ye: > >>> Compiler leaves a 4-byte hole near the end of `dev_info`, causing > >>> amdgpu_info_ioctl() to copy uninitialized kernel stack memory to user= space > >>> when `size` is greater than 356. > >>> > >>> In 2015 we tried to fix this issue by doing `=3D {};` on `dev_info`, = which > >>> unfortunately does not initialize that 4-byte hole. Fix it by using > >>> memset() instead. > >>> > >>> Cc: stable@vger.kernel.org > >>> Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioc= tl()") > >>> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > >>> Suggested-by: Dan Carpenter > >>> Signed-off-by: Peilin Ye > >> > >> Reviewed-by: Christian K=F6nig > >> > >> I can't count how many of those we have fixed over the years. > >> > >> At some point we should probably document that using "=3D {}" or "=3D = { 0 }" > >> in the kernel is a really bad idea and should be avoided. > > = > > Moreover, it seems like different compilers seem to behave relatively > > differently with these and we often get reports of warnings with these > > on clang. When in doubt, memset. > = > There are quite a few of those under drivers/gpu/drm, for "amd/", "schedu= ler/" > drm*.c files, > = > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./sch= eduler/.*\.c" \) -exec egrep -n -- " *=3D *{ *(|NULL|0) *}" \{\} \+ | wc -l > 374 > $_ > = > Out of which only 16 are of the non-ISO C variety, "=3D {}", > = > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./sch= eduler/.*\.c" \) -exec egrep -n -- " *=3D *{ *}" \{\} \+ | wc -l > 16 > $_ > = > Perhaps the latter are the more pressing ones, since it is a C++ initiali= zer and not a ISO C one. It only matters when we care copying the data to userspace, if it all stays in the kernel, all is fine. thanks, greg k-h _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71BE1C433E0 for ; Fri, 31 Jul 2020 07:42:17 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 478412067D for ; Fri, 31 Jul 2020 07:42:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="wHsdC/0f" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 478412067D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=amd-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id E13D86EA0F; Fri, 31 Jul 2020 07:42:16 +0000 (UTC) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by gabe.freedesktop.org (Postfix) with ESMTPS id AC0116E9E1; Fri, 31 Jul 2020 06:53:34 +0000 (UTC) Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 000FD207F5; Fri, 31 Jul 2020 06:53:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596178414; bh=fNT75IpsFv23vL5vXayzc9tXmlPArXQFzFYd85vUNc4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=wHsdC/0fAKiD9YbaIfsbFj8p03yJkr9qnBoWo/Ix5UbCr1RLfihp7pEzhGtHbguq1 /+FDpBO2nfeS+ZtSS/W9SOgSdCKVKLvWJj7x0Qj3xcRhHThBaXQK9DVnnYL5tnK/Bu baaUYQoJUnWUKqyyFkdRXWivQ8nvj9uuW3vAVtas= Date: Fri, 31 Jul 2020 08:53:22 +0200 From: Greg Kroah-Hartman To: Luben Tuikov Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Message-ID: <20200731065322.GA1518178@kroah.com> References: <20200728192924.441570-1-yepeilin.cs@gmail.com> <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> X-Mailman-Approved-At: Fri, 31 Jul 2020 07:42:14 +0000 X-BeenThere: amd-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion list for AMD gfx List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Vetter , Arnd Bergmann , David Airlie , linux-kernel-mentees@lists.linuxfoundation.org, Felix Kuehling , LKML , amd-gfx list , Nicholas Kazlauskas , Marek =?utf-8?B?T2zFocOhaw==?= , Hans de Goede , Trek , Maling list - DRI developers , Thomas Zimmermann , Peilin Ye , Alex Deucher , Alex Deucher , Evan Quan , Leo Liu , Christian Koenig , Dan Carpenter , Xiaojie Yuan Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: amd-gfx-bounces@lists.freedesktop.org Sender: "amd-gfx" On Thu, Jul 30, 2020 at 05:09:07PM -0400, Luben Tuikov wrote: > On 2020-07-29 9:49 a.m., Alex Deucher wrote: > > On Wed, Jul 29, 2020 at 4:11 AM Christian K=F6nig > > wrote: > >> > >> Am 28.07.20 um 21:29 schrieb Peilin Ye: > >>> Compiler leaves a 4-byte hole near the end of `dev_info`, causing > >>> amdgpu_info_ioctl() to copy uninitialized kernel stack memory to user= space > >>> when `size` is greater than 356. > >>> > >>> In 2015 we tried to fix this issue by doing `=3D {};` on `dev_info`, = which > >>> unfortunately does not initialize that 4-byte hole. Fix it by using > >>> memset() instead. > >>> > >>> Cc: stable@vger.kernel.org > >>> Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioc= tl()") > >>> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > >>> Suggested-by: Dan Carpenter > >>> Signed-off-by: Peilin Ye > >> > >> Reviewed-by: Christian K=F6nig > >> > >> I can't count how many of those we have fixed over the years. > >> > >> At some point we should probably document that using "=3D {}" or "=3D = { 0 }" > >> in the kernel is a really bad idea and should be avoided. > > = > > Moreover, it seems like different compilers seem to behave relatively > > differently with these and we often get reports of warnings with these > > on clang. When in doubt, memset. > = > There are quite a few of those under drivers/gpu/drm, for "amd/", "schedu= ler/" > drm*.c files, > = > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./sch= eduler/.*\.c" \) -exec egrep -n -- " *=3D *{ *(|NULL|0) *}" \{\} \+ | wc -l > 374 > $_ > = > Out of which only 16 are of the non-ISO C variety, "=3D {}", > = > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./sch= eduler/.*\.c" \) -exec egrep -n -- " *=3D *{ *}" \{\} \+ | wc -l > 16 > $_ > = > Perhaps the latter are the more pressing ones, since it is a C++ initiali= zer and not a ISO C one. It only matters when we care copying the data to userspace, if it all stays in the kernel, all is fine. thanks, greg k-h _______________________________________________ amd-gfx mailing list amd-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/amd-gfx