From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B46F3CA9EAE for ; Tue, 29 Oct 2019 18:36:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 95B542067D for ; Tue, 29 Oct 2019 18:36:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731843AbfJ2SgI (ORCPT ); Tue, 29 Oct 2019 14:36:08 -0400 Received: from smtprelay0165.hostedemail.com ([216.40.44.165]:34820 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725962AbfJ2SgH (ORCPT ); Tue, 29 Oct 2019 14:36:07 -0400 Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay04.hostedemail.com (Postfix) with ESMTP id CE5E4180A5B16; Tue, 29 Oct 2019 18:36:05 +0000 (UTC) X-Session-Marker: 6A6F6540706572636865732E636F6D X-HE-Tag: thing30_17c4da0fde813 X-Filterd-Recvd-Size: 2471 Received: from XPS-9350.home (unknown [47.151.135.224]) (Authenticated sender: joe@perches.com) by omf05.hostedemail.com (Postfix) with ESMTPA; Tue, 29 Oct 2019 18:36:03 +0000 (UTC) Message-ID: <5a6f05cef45dbb4f77008b36d7a63b429f1519ec.camel@perches.com> Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl() From: Joe Perches To: Dan Carpenter , Bartlomiej Zolnierkiewicz , Andrea Righi Cc: Daniel Vetter , Sam Ravnborg , Maarten Lankhorst , Peter Rosin , Gerd Hoffmann , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, security@kernel.org, Kees Cook , Julia Lawall Date: Tue, 29 Oct 2019 11:35:55 -0700 In-Reply-To: <20191029182320.GA17569@mwanda> References: <20191029182320.GA17569@mwanda> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.34.1-2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2019-10-29 at 21:23 +0300, Dan Carpenter wrote: > The "fix" struct has a 2 byte hole after ->ywrapstep and the > "fix = info->fix;" assignment doesn't necessarily clear it. It depends > on the compiler. [] > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c [] > @@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > ret = -EFAULT; > break; > case FBIOGET_FSCREENINFO: > + memset(&fix, 0, sizeof(fix)); > lock_fb_info(info); > fix = info->fix; > if (info->flags & FBINFO_HIDE_SMEM_START) Perhaps better to change the struct copy to a memcpy --- drivers/video/fbdev/core/fbmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index e6a1c80..364699 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1110,7 +1110,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, break; case FBIOGET_FSCREENINFO: lock_fb_info(info); - fix = info->fix; + memcpy(&fix, &info->fix, sizeof(fix)); if (info->flags & FBINFO_HIDE_SMEM_START) fix.smem_start = 0; unlock_fb_info(info); From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joe Perches Date: Tue, 29 Oct 2019 18:35:55 +0000 Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl() Message-Id: <5a6f05cef45dbb4f77008b36d7a63b429f1519ec.camel@perches.com> List-Id: References: <20191029182320.GA17569@mwanda> In-Reply-To: <20191029182320.GA17569@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Dan Carpenter , Bartlomiej Zolnierkiewicz , Andrea Righi Cc: Daniel Vetter , Sam Ravnborg , Maarten Lankhorst , Peter Rosin , Gerd Hoffmann , dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, security@kernel.org, Kees Cook , Julia Lawall On Tue, 2019-10-29 at 21:23 +0300, Dan Carpenter wrote: > The "fix" struct has a 2 byte hole after ->ywrapstep and the > "fix = info->fix;" assignment doesn't necessarily clear it. It depends > on the compiler. [] > diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c [] > @@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, > ret = -EFAULT; > break; > case FBIOGET_FSCREENINFO: > + memset(&fix, 0, sizeof(fix)); > lock_fb_info(info); > fix = info->fix; > if (info->flags & FBINFO_HIDE_SMEM_START) Perhaps better to change the struct copy to a memcpy --- drivers/video/fbdev/core/fbmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c index e6a1c80..364699 100644 --- a/drivers/video/fbdev/core/fbmem.c +++ b/drivers/video/fbdev/core/fbmem.c @@ -1110,7 +1110,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd, break; case FBIOGET_FSCREENINFO: lock_fb_info(info); - fix = info->fix; + memcpy(&fix, &info->fix, sizeof(fix)); if (info->flags & FBINFO_HIDE_SMEM_START) fix.smem_start = 0; unlock_fb_info(info); From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F4C1CA9EAE for ; Tue, 29 Oct 2019 18:36:09 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1FAFF2067D for ; Tue, 29 Oct 2019 18:36:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1FAFF2067D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=perches.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 7A3476E59D; Tue, 29 Oct 2019 18:36:08 +0000 (UTC) Received: from smtprelay.hostedemail.com (smtprelay0197.hostedemail.com [216.40.44.197]) by gabe.freedesktop.org (Postfix) with ESMTPS id E9AC46E59D for ; Tue, 29 Oct 2019 18:36:07 +0000 (UTC) Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay04.hostedemail.com (Postfix) with ESMTP id CE5E4180A5B16; Tue, 29 Oct 2019 18:36:05 +0000 (UTC) X-Session-Marker: 6A6F6540706572636865732E636F6D X-HE-Tag: thing30_17c4da0fde813 X-Filterd-Recvd-Size: 2471 Received: from XPS-9350.home (unknown [47.151.135.224]) (Authenticated sender: joe@perches.com) by omf05.hostedemail.com (Postfix) with ESMTPA; Tue, 29 Oct 2019 18:36:03 +0000 (UTC) Message-ID: <5a6f05cef45dbb4f77008b36d7a63b429f1519ec.camel@perches.com> Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl() From: Joe Perches To: Dan Carpenter , Bartlomiej Zolnierkiewicz , Andrea Righi Date: Tue, 29 Oct 2019 11:35:55 -0700 In-Reply-To: <20191029182320.GA17569@mwanda> References: <20191029182320.GA17569@mwanda> User-Agent: Evolution 3.34.1-2 MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-fbdev@vger.kernel.org, security@kernel.org, Kees Cook , kernel-janitors@vger.kernel.org, Daniel Vetter , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Julia Lawall , Gerd Hoffmann , Sam Ravnborg , Peter Rosin Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" Message-ID: <20191029183555.Zr60zsgbyIy50ApWjjTrnbftlfg2r7PMp78HpUDv3Jw@z> T24gVHVlLCAyMDE5LTEwLTI5IGF0IDIxOjIzICswMzAwLCBEYW4gQ2FycGVudGVyIHdyb3RlOgo+ IFRoZSAiZml4IiBzdHJ1Y3QgaGFzIGEgMiBieXRlIGhvbGUgYWZ0ZXIgLT55d3JhcHN0ZXAgYW5k IHRoZQo+ICJmaXggPSBpbmZvLT5maXg7IiBhc3NpZ25tZW50IGRvZXNuJ3QgbmVjZXNzYXJpbHkg Y2xlYXIgaXQuICBJdCBkZXBlbmRzCj4gb24gdGhlIGNvbXBpbGVyLgpbXQo+IGRpZmYgLS1naXQg YS9kcml2ZXJzL3ZpZGVvL2ZiZGV2L2NvcmUvZmJtZW0uYyBiL2RyaXZlcnMvdmlkZW8vZmJkZXYv Y29yZS9mYm1lbS5jCltdCj4gQEAgLTExMDksNiArMTEwOSw3IEBAIHN0YXRpYyBsb25nIGRvX2Zi X2lvY3RsKHN0cnVjdCBmYl9pbmZvICppbmZvLCB1bnNpZ25lZCBpbnQgY21kLAo+ICAJCQlyZXQg PSAtRUZBVUxUOwo+ICAJCWJyZWFrOwo+ICAJY2FzZSBGQklPR0VUX0ZTQ1JFRU5JTkZPOgo+ICsJ CW1lbXNldCgmZml4LCAwLCBzaXplb2YoZml4KSk7Cj4gIAkJbG9ja19mYl9pbmZvKGluZm8pOwo+ ICAJCWZpeCA9IGluZm8tPmZpeDsKPiAgCQlpZiAoaW5mby0+ZmxhZ3MgJiBGQklORk9fSElERV9T TUVNX1NUQVJUKQoKUGVyaGFwcyBiZXR0ZXIgdG8gY2hhbmdlIHRoZSBzdHJ1Y3QgY29weSB0byBh IG1lbWNweQotLS0KIGRyaXZlcnMvdmlkZW8vZmJkZXYvY29yZS9mYm1lbS5jIHwgMiArLQogMSBm aWxlIGNoYW5nZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZmIC0tZ2l0IGEv ZHJpdmVycy92aWRlby9mYmRldi9jb3JlL2ZibWVtLmMgYi9kcml2ZXJzL3ZpZGVvL2ZiZGV2L2Nv cmUvZmJtZW0uYwppbmRleCBlNmExYzgwLi4zNjQ2OTkgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvdmlk ZW8vZmJkZXYvY29yZS9mYm1lbS5jCisrKyBiL2RyaXZlcnMvdmlkZW8vZmJkZXYvY29yZS9mYm1l bS5jCkBAIC0xMTEwLDcgKzExMTAsNyBAQCBzdGF0aWMgbG9uZyBkb19mYl9pb2N0bChzdHJ1Y3Qg ZmJfaW5mbyAqaW5mbywgdW5zaWduZWQgaW50IGNtZCwKIAkJYnJlYWs7CiAJY2FzZSBGQklPR0VU X0ZTQ1JFRU5JTkZPOgogCQlsb2NrX2ZiX2luZm8oaW5mbyk7Ci0JCWZpeCA9IGluZm8tPmZpeDsK KwkJbWVtY3B5KCZmaXgsICZpbmZvLT5maXgsIHNpemVvZihmaXgpKTsKIAkJaWYgKGluZm8tPmZs YWdzICYgRkJJTkZPX0hJREVfU01FTV9TVEFSVCkKIAkJCWZpeC5zbWVtX3N0YXJ0ID0gMDsKIAkJ dW5sb2NrX2ZiX2luZm8oaW5mbyk7CgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZy ZWVkZXNrdG9wLm9yZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL2RyaS1kZXZlbA==