From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.1 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E215C433DB for ; Mon, 4 Jan 2021 19:34:08 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BD4D52226A for ; Mon, 4 Jan 2021 19:34:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BD4D52226A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=raspberrypi.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=driverdev-devel-bounces@linuxdriverproject.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id AB8C720781; Mon, 4 Jan 2021 19:34:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLVy4bX5DCun; Mon, 4 Jan 2021 19:34:04 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 3F33C203D4; Mon, 4 Jan 2021 19:34:04 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 4DCBE1BF475 for ; Mon, 4 Jan 2021 19:34:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 27D8D203D4 for ; Mon, 4 Jan 2021 19:34:02 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvbFwX00w1mi for ; Mon, 4 Jan 2021 19:34:01 +0000 (UTC) X-Greylist: delayed 00:07:15 by SQLgrey-1.7.6 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by silver.osuosl.org (Postfix) with ESMTPS id 0203A203BD for ; Mon, 4 Jan 2021 19:34:00 +0000 (UTC) Received: by mail-wm1-f52.google.com with SMTP id k10so299193wmi.3 for ; Mon, 04 Jan 2021 11:34:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raspberrypi.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=zlYOoCP2KeS5rsd6N/e1bDca0BEkLEHT4wzXVG88LdM=; b=kJhRWK/eTp92NI4tUr3YSjM18slZZx5RQQ4Sc4Td7/eQBapWvNkxoZgO1oQd+hH8Sg aIzpKmRBBsNtdIDVkAeqUQ+RMZjylC4BzoJ8r5JsZpCdXLox7h3koe/Z+0zRpYmfbj64 GLePuNR4ip3/3aTDOqvhh7GY83pAzMLjS+XznO1ikGX4zN9GGObz0KSqxgBu+ftvKQXv rygbdWx1ZrjwfOfT6Ggr82lBXK662bE+10MfP4jnzK9nZGPbTcVwoYQTB8ulAbFmgY7I NOd/2b96VblpIGMo97Jptsdn+ABovfeUjr4oTr//blkbRkeqhjYnaPIUcgqBllOY+Hwl xuMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=zlYOoCP2KeS5rsd6N/e1bDca0BEkLEHT4wzXVG88LdM=; b=CHUzniY0r4ixeXXY6yMr0kj6Ax8PGkwW/w6Z8XSIv7yD3r6GiBaplS5W9+xVymAqQY Q8Zd1MxZvV/JSWgP2PuGK5k4+LV3jjlXnCANAK0W8GKLfrhHEWwbzvPysbeCubUImSTv /JAMS8M7M03SNNrB39SSLrMzCPoiVZt+PrGVac8oYtst9P5xEqOMNsDaWmn7e+pej5Ke tidL46TNEqJzLrdAl74Ca1/QmUajiRfg49ESaq7vd0zLeO1+/arL9vUsvPBBuEdpa398 jiTSFgfrJaiLZF3Ie4muvNFpTuzXwlOYxXJMpD3b9QxfzQUm7gryn//SQ8yHx5dnTChM xLVg== X-Gm-Message-State: AOAM530dbXdJRPAHB3aQfNXisDrFUAFMJlp3u5Nsb2AC0vXtcT9CRmur WMGSrVrFyFEOrV/QuM35XDOWyM2z/y1TCA== X-Google-Smtp-Source: ABdhPJxyA+JbQ40GqNyosnml8ub0MTOqLE6j983sanmqP2SfoMeDCSZtALuvXCz2vDTRN1vuHGoCsw== X-Received: by 2002:a05:600c:255:: with SMTP id 21mr330772wmj.69.1609788404350; Mon, 04 Jan 2021 11:26:44 -0800 (PST) Received: from PhilsPB.lan ([86.12.200.143]) by smtp.gmail.com with ESMTPSA id u5sm28258333wrr.32.2021.01.04.11.26.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Jan 2021 11:26:43 -0800 (PST) Subject: Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling To: Dan Carpenter References: <20210104120929.294063-1-phil@raspberrypi.com> <20210104120929.294063-2-phil@raspberrypi.com> <20210104183134.GV2809@kadam> From: Phil Elwell Message-ID: <989ef44f-2afe-5147-1277-74df56797a4c@raspberrypi.com> Date: Mon, 4 Jan 2021 19:26:42 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20210104183134.GV2809@kadam> X-BeenThere: driverdev-devel@linuxdriverproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Driver Project Developer List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: devel@driverdev.osuosl.org, Arnd Bergmann , Greg Kroah-Hartman , bcm-kernel-feedback-list@broadcom.com, Nicolas Saenz Julienne , linux-arm-kernel@lists.infradead.org, linux-rpi-kernel@lists.infradead.org Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: driverdev-devel-bounces@linuxdriverproject.org Sender: "devel" On 04/01/2021 18:31, Dan Carpenter wrote: > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: >> The addition of the local 'userdata' pointer to >> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor >> WAITING modes are used, in which case the value provided by the >> caller is replaced with a NULL. >> >> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") >> >> Signed-off-by: Phil Elwell >> --- >> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> index f500a7043805..2a8883673ba1 100644 >> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> struct vchiq_service *service; >> struct bulk_waiter_node *waiter = NULL; >> bool found = false; >> - void *userdata = NULL; >> + void *userdata; >> int status = 0; >> int ret; >> >> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> "found bulk_waiter %pK for pid %d", waiter, >> current->pid); >> userdata = &waiter->bulk_waiter; >> + } else { >> + userdata = args->userdata; > > "args->userdata" is marked as a user pointer so we really don't want to > mix user and kernel pointers here. Presumably this opens up a large > security hole. It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, without this patch) - it's hard to see that as a security hole. Phil _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78083C433DB for ; Mon, 4 Jan 2021 19:28:43 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2883C20784 for ; Mon, 4 Jan 2021 19:28:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2883C20784 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=raspberrypi.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=4by1nBCRSbXT/u6PESyaubhCmDIjFup7+4oCeWYGFEw=; b=scgCgtXxsDoPWIfOqI/cQBQcN zdfg5kB4pfobDCBQBkGYsNUTWTAuH4vk4MuAR2oGTTeGe09WsvGQNLLNbEq3NCdaalAq5INbfAWBx n2YiU+kEvXmW5hPg6fw3+0z/cL2YO14PCyOVWP06QST/tuGg5jwkITh4Glti1gjQKEW5MryE6i8FP XCn1Cll1vGOsC4ZWjIzuejAHDR2spU7ZT4DpKQWdNLNHgzciF48MF+lgFMTGee469Ecd91TESHsnJ WcpNOzmc/u0L4LgfHYeCpj1zaBL741iUIdj+w04noQ3WWh39+vCCuQs9FXbOEahb9WuA7ngTQi1Wc 7t4v0yTPQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kwVVP-00016m-Ih; Mon, 04 Jan 2021 19:27:03 +0000 Received: from mail-wm1-x32e.google.com ([2a00:1450:4864:20::32e]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kwVV8-0000zI-NZ for linux-arm-kernel@lists.infradead.org; Mon, 04 Jan 2021 19:26:55 +0000 Received: by mail-wm1-x32e.google.com with SMTP id e25so322369wme.0 for ; Mon, 04 Jan 2021 11:26:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raspberrypi.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=zlYOoCP2KeS5rsd6N/e1bDca0BEkLEHT4wzXVG88LdM=; b=kJhRWK/eTp92NI4tUr3YSjM18slZZx5RQQ4Sc4Td7/eQBapWvNkxoZgO1oQd+hH8Sg aIzpKmRBBsNtdIDVkAeqUQ+RMZjylC4BzoJ8r5JsZpCdXLox7h3koe/Z+0zRpYmfbj64 GLePuNR4ip3/3aTDOqvhh7GY83pAzMLjS+XznO1ikGX4zN9GGObz0KSqxgBu+ftvKQXv rygbdWx1ZrjwfOfT6Ggr82lBXK662bE+10MfP4jnzK9nZGPbTcVwoYQTB8ulAbFmgY7I NOd/2b96VblpIGMo97Jptsdn+ABovfeUjr4oTr//blkbRkeqhjYnaPIUcgqBllOY+Hwl xuMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=zlYOoCP2KeS5rsd6N/e1bDca0BEkLEHT4wzXVG88LdM=; b=hER/evuRqkFT1xUtA8riocoQp2YEsf6hZLvDBw/PmPXm+R40L3v79m72imk5J9MgpG EgyDVX3gTrazyP9gVZhvi+80J8VVIDd/p1kiz/wIr5kjZN+uu6rNkM/d9F5CTXDvg5bQ gGBG4PUHYyGa13YF3MQqGInE+qUZ1MnlKQhzqhFQYq5S8TqJtEjOsOy7SmDr4xqPWFFO oytnPNtKYdN3uaY4956U1uhF/Gjy2TSZ+gjtdcOBQTcTXKyXhO/7kdazK8C1ldzuPSDa xMgeq0UA+BRuDZEFJw9XLhSCSy6lzNDlH214THxgZXfSz5Kiud4uBJovLu+6bgyljGTl K1ig== X-Gm-Message-State: AOAM531sO/z4R6mj/kCiayKv4B9OBYi3Ks+8fi/o0Fu61FQxnsbRbtjr oQOn6yzg2g6PLPyihALDACJC1A== X-Google-Smtp-Source: ABdhPJxyA+JbQ40GqNyosnml8ub0MTOqLE6j983sanmqP2SfoMeDCSZtALuvXCz2vDTRN1vuHGoCsw== X-Received: by 2002:a05:600c:255:: with SMTP id 21mr330772wmj.69.1609788404350; Mon, 04 Jan 2021 11:26:44 -0800 (PST) Received: from PhilsPB.lan ([86.12.200.143]) by smtp.gmail.com with ESMTPSA id u5sm28258333wrr.32.2021.01.04.11.26.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Jan 2021 11:26:43 -0800 (PST) Subject: Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling To: Dan Carpenter References: <20210104120929.294063-1-phil@raspberrypi.com> <20210104120929.294063-2-phil@raspberrypi.com> <20210104183134.GV2809@kadam> From: Phil Elwell Message-ID: <989ef44f-2afe-5147-1277-74df56797a4c@raspberrypi.com> Date: Mon, 4 Jan 2021 19:26:42 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20210104183134.GV2809@kadam> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210104_142647_241896_BE460E9A X-CRM114-Status: GOOD ( 20.46 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: devel@driverdev.osuosl.org, Arnd Bergmann , Greg Kroah-Hartman , bcm-kernel-feedback-list@broadcom.com, Nicolas Saenz Julienne , linux-arm-kernel@lists.infradead.org, linux-rpi-kernel@lists.infradead.org Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 04/01/2021 18:31, Dan Carpenter wrote: > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: >> The addition of the local 'userdata' pointer to >> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor >> WAITING modes are used, in which case the value provided by the >> caller is replaced with a NULL. >> >> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") >> >> Signed-off-by: Phil Elwell >> --- >> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> index f500a7043805..2a8883673ba1 100644 >> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> struct vchiq_service *service; >> struct bulk_waiter_node *waiter = NULL; >> bool found = false; >> - void *userdata = NULL; >> + void *userdata; >> int status = 0; >> int ret; >> >> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> "found bulk_waiter %pK for pid %d", waiter, >> current->pid); >> userdata = &waiter->bulk_waiter; >> + } else { >> + userdata = args->userdata; > > "args->userdata" is marked as a user pointer so we really don't want to > mix user and kernel pointers here. Presumably this opens up a large > security hole. It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, without this patch) - it's hard to see that as a security hole. Phil _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel