From: Alex Deucher <alexdeucher@gmail.com>
To: Christian Koenig <christian.koenig@amd.com>
Cc: "Peilin Ye" <yepeilin.cs@gmail.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>, "Leo Liu" <leo.liu@amd.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
"amd-gfx list" <amd-gfx@lists.freedesktop.org>,
"Marek Olšák" <marek.olsak@amd.com>,
"Hans de Goede" <hdegoede@redhat.com>, Trek <trek00@inbox.ru>,
"Maling list - DRI developers" <dri-devel@lists.freedesktop.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Evan Quan" <evan.quan@amd.com>,
linux-kernel-mentees@lists.linuxfoundation.org,
"Nicholas Kazlauskas" <nicholas.kazlauskas@amd.com>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
"Xiaojie Yuan" <xiaojie.yuan@amd.com>
Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
Date: Wed, 29 Jul 2020 17:55:42 -0400 [thread overview]
Message-ID: <CADnq5_Pzz5A4kRyF061K+0hjsBEe7GT6j3zrfKZUrbjGcy1GBQ@mail.gmail.com> (raw)
In-Reply-To: <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com>
Applied. Thanks!
Alex
On Wed, Jul 29, 2020 at 4:11 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 28.07.20 um 21:29 schrieb Peilin Ye:
> > Compiler leaves a 4-byte hole near the end of `dev_info`, causing
> > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace
> > when `size` is greater than 356.
> >
> > In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which
> > unfortunately does not initialize that 4-byte hole. Fix it by using
> > memset() instead.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()")
> > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
> > Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>
>
> I can't count how many of those we have fixed over the years.
>
> At some point we should probably document that using "= {}" or "= { 0 }"
> in the kernel is a really bad idea and should be avoided.
>
> Thanks,
> Christian.
>
> > ---
> > $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o
> > struct drm_amdgpu_info_device {
> > __u32 device_id; /* 0 4 */
> > __u32 chip_rev; /* 4 4 */
> > __u32 external_rev; /* 8 4 */
> > __u32 pci_rev; /* 12 4 */
> > __u32 family; /* 16 4 */
> > __u32 num_shader_engines; /* 20 4 */
> > __u32 num_shader_arrays_per_engine; /* 24 4 */
> > __u32 gpu_counter_freq; /* 28 4 */
> > __u64 max_engine_clock; /* 32 8 */
> > __u64 max_memory_clock; /* 40 8 */
> > __u32 cu_active_number; /* 48 4 */
> > __u32 cu_ao_mask; /* 52 4 */
> > __u32 cu_bitmap[4][4]; /* 56 64 */
> > /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */
> > __u32 enabled_rb_pipes_mask; /* 120 4 */
> > __u32 num_rb_pipes; /* 124 4 */
> > /* --- cacheline 2 boundary (128 bytes) --- */
> > __u32 num_hw_gfx_contexts; /* 128 4 */
> > __u32 _pad; /* 132 4 */
> > __u64 ids_flags; /* 136 8 */
> > __u64 virtual_address_offset; /* 144 8 */
> > __u64 virtual_address_max; /* 152 8 */
> > __u32 virtual_address_alignment; /* 160 4 */
> > __u32 pte_fragment_size; /* 164 4 */
> > __u32 gart_page_size; /* 168 4 */
> > __u32 ce_ram_size; /* 172 4 */
> > __u32 vram_type; /* 176 4 */
> > __u32 vram_bit_width; /* 180 4 */
> > __u32 vce_harvest_config; /* 184 4 */
> > __u32 gc_double_offchip_lds_buf; /* 188 4 */
> > /* --- cacheline 3 boundary (192 bytes) --- */
> > __u64 prim_buf_gpu_addr; /* 192 8 */
> > __u64 pos_buf_gpu_addr; /* 200 8 */
> > __u64 cntl_sb_buf_gpu_addr; /* 208 8 */
> > __u64 param_buf_gpu_addr; /* 216 8 */
> > __u32 prim_buf_size; /* 224 4 */
> > __u32 pos_buf_size; /* 228 4 */
> > __u32 cntl_sb_buf_size; /* 232 4 */
> > __u32 param_buf_size; /* 236 4 */
> > __u32 wave_front_size; /* 240 4 */
> > __u32 num_shader_visible_vgprs; /* 244 4 */
> > __u32 num_cu_per_sh; /* 248 4 */
> > __u32 num_tcc_blocks; /* 252 4 */
> > /* --- cacheline 4 boundary (256 bytes) --- */
> > __u32 gs_vgt_table_depth; /* 256 4 */
> > __u32 gs_prim_buffer_depth; /* 260 4 */
> > __u32 max_gs_waves_per_vgt; /* 264 4 */
> > __u32 _pad1; /* 268 4 */
> > __u32 cu_ao_bitmap[4][4]; /* 272 64 */
> > /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
> > __u64 high_va_offset; /* 336 8 */
> > __u64 high_va_max; /* 344 8 */
> > __u32 pa_sc_tile_steering_override; /* 352 4 */
> >
> > /* XXX 4 bytes hole, try to pack */
> >
> > __u64 tcc_disabled_mask; /* 360 8 */
> >
> > /* size: 368, cachelines: 6, members: 49 */
> > /* sum members: 364, holes: 1, sum holes: 4 */
> > /* last cacheline: 48 bytes */
> > };
> >
> > drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > index a8c47aecd342..0047da06041f 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file
> > return n ? -EFAULT : 0;
> > }
> > case AMDGPU_INFO_DEV_INFO: {
> > - struct drm_amdgpu_info_device dev_info = {};
> > + struct drm_amdgpu_info_device dev_info;
> > uint64_t vm_size;
> >
> > + memset(&dev_info, 0, sizeof(dev_info));
> > dev_info.device_id = dev->pdev->device;
> > dev_info.chip_rev = adev->rev_id;
> > dev_info.external_rev = adev->external_rev_id;
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
WARNING: multiple messages have this Message-ID (diff)
From: Alex Deucher <alexdeucher@gmail.com>
To: Christian Koenig <christian.koenig@amd.com>
Cc: "Xiaojie Yuan" <xiaojie.yuan@amd.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Arnd Bergmann" <arnd@arndb.de>,
"David Airlie" <airlied@linux.ie>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
"amd-gfx list" <amd-gfx@lists.freedesktop.org>,
"Nicholas Kazlauskas" <nicholas.kazlauskas@amd.com>,
"Marek Olšák" <marek.olsak@amd.com>,
"Hans de Goede" <hdegoede@redhat.com>, Trek <trek00@inbox.ru>,
"Maling list - DRI developers" <dri-devel@lists.freedesktop.org>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Evan Quan" <evan.quan@amd.com>, "Leo Liu" <leo.liu@amd.com>,
"Peilin Ye" <yepeilin.cs@gmail.com>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
Date: Wed, 29 Jul 2020 17:55:42 -0400 [thread overview]
Message-ID: <CADnq5_Pzz5A4kRyF061K+0hjsBEe7GT6j3zrfKZUrbjGcy1GBQ@mail.gmail.com> (raw)
In-Reply-To: <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com>
Applied. Thanks!
Alex
On Wed, Jul 29, 2020 at 4:11 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 28.07.20 um 21:29 schrieb Peilin Ye:
> > Compiler leaves a 4-byte hole near the end of `dev_info`, causing
> > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace
> > when `size` is greater than 356.
> >
> > In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which
> > unfortunately does not initialize that 4-byte hole. Fix it by using
> > memset() instead.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()")
> > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
> > Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>
>
> I can't count how many of those we have fixed over the years.
>
> At some point we should probably document that using "= {}" or "= { 0 }"
> in the kernel is a really bad idea and should be avoided.
>
> Thanks,
> Christian.
>
> > ---
> > $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o
> > struct drm_amdgpu_info_device {
> > __u32 device_id; /* 0 4 */
> > __u32 chip_rev; /* 4 4 */
> > __u32 external_rev; /* 8 4 */
> > __u32 pci_rev; /* 12 4 */
> > __u32 family; /* 16 4 */
> > __u32 num_shader_engines; /* 20 4 */
> > __u32 num_shader_arrays_per_engine; /* 24 4 */
> > __u32 gpu_counter_freq; /* 28 4 */
> > __u64 max_engine_clock; /* 32 8 */
> > __u64 max_memory_clock; /* 40 8 */
> > __u32 cu_active_number; /* 48 4 */
> > __u32 cu_ao_mask; /* 52 4 */
> > __u32 cu_bitmap[4][4]; /* 56 64 */
> > /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */
> > __u32 enabled_rb_pipes_mask; /* 120 4 */
> > __u32 num_rb_pipes; /* 124 4 */
> > /* --- cacheline 2 boundary (128 bytes) --- */
> > __u32 num_hw_gfx_contexts; /* 128 4 */
> > __u32 _pad; /* 132 4 */
> > __u64 ids_flags; /* 136 8 */
> > __u64 virtual_address_offset; /* 144 8 */
> > __u64 virtual_address_max; /* 152 8 */
> > __u32 virtual_address_alignment; /* 160 4 */
> > __u32 pte_fragment_size; /* 164 4 */
> > __u32 gart_page_size; /* 168 4 */
> > __u32 ce_ram_size; /* 172 4 */
> > __u32 vram_type; /* 176 4 */
> > __u32 vram_bit_width; /* 180 4 */
> > __u32 vce_harvest_config; /* 184 4 */
> > __u32 gc_double_offchip_lds_buf; /* 188 4 */
> > /* --- cacheline 3 boundary (192 bytes) --- */
> > __u64 prim_buf_gpu_addr; /* 192 8 */
> > __u64 pos_buf_gpu_addr; /* 200 8 */
> > __u64 cntl_sb_buf_gpu_addr; /* 208 8 */
> > __u64 param_buf_gpu_addr; /* 216 8 */
> > __u32 prim_buf_size; /* 224 4 */
> > __u32 pos_buf_size; /* 228 4 */
> > __u32 cntl_sb_buf_size; /* 232 4 */
> > __u32 param_buf_size; /* 236 4 */
> > __u32 wave_front_size; /* 240 4 */
> > __u32 num_shader_visible_vgprs; /* 244 4 */
> > __u32 num_cu_per_sh; /* 248 4 */
> > __u32 num_tcc_blocks; /* 252 4 */
> > /* --- cacheline 4 boundary (256 bytes) --- */
> > __u32 gs_vgt_table_depth; /* 256 4 */
> > __u32 gs_prim_buffer_depth; /* 260 4 */
> > __u32 max_gs_waves_per_vgt; /* 264 4 */
> > __u32 _pad1; /* 268 4 */
> > __u32 cu_ao_bitmap[4][4]; /* 272 64 */
> > /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
> > __u64 high_va_offset; /* 336 8 */
> > __u64 high_va_max; /* 344 8 */
> > __u32 pa_sc_tile_steering_override; /* 352 4 */
> >
> > /* XXX 4 bytes hole, try to pack */
> >
> > __u64 tcc_disabled_mask; /* 360 8 */
> >
> > /* size: 368, cachelines: 6, members: 49 */
> > /* sum members: 364, holes: 1, sum holes: 4 */
> > /* last cacheline: 48 bytes */
> > };
> >
> > drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > index a8c47aecd342..0047da06041f 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file
> > return n ? -EFAULT : 0;
> > }
> > case AMDGPU_INFO_DEV_INFO: {
> > - struct drm_amdgpu_info_device dev_info = {};
> > + struct drm_amdgpu_info_device dev_info;
> > uint64_t vm_size;
> >
> > + memset(&dev_info, 0, sizeof(dev_info));
> > dev_info.device_id = dev->pdev->device;
> > dev_info.chip_rev = adev->rev_id;
> > dev_info.external_rev = adev->external_rev_id;
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
WARNING: multiple messages have this Message-ID (diff)
From: Alex Deucher <alexdeucher@gmail.com>
To: Christian Koenig <christian.koenig@amd.com>
Cc: "Xiaojie Yuan" <xiaojie.yuan@amd.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Arnd Bergmann" <arnd@arndb.de>,
"David Airlie" <airlied@linux.ie>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
"amd-gfx list" <amd-gfx@lists.freedesktop.org>,
"Nicholas Kazlauskas" <nicholas.kazlauskas@amd.com>,
"Marek Olšák" <marek.olsak@amd.com>,
"Hans de Goede" <hdegoede@redhat.com>, Trek <trek00@inbox.ru>,
"Maling list - DRI developers" <dri-devel@lists.freedesktop.org>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Evan Quan" <evan.quan@amd.com>, "Leo Liu" <leo.liu@amd.com>,
"Peilin Ye" <yepeilin.cs@gmail.com>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
Date: Wed, 29 Jul 2020 17:55:42 -0400 [thread overview]
Message-ID: <CADnq5_Pzz5A4kRyF061K+0hjsBEe7GT6j3zrfKZUrbjGcy1GBQ@mail.gmail.com> (raw)
In-Reply-To: <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com>
Applied. Thanks!
Alex
On Wed, Jul 29, 2020 at 4:11 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 28.07.20 um 21:29 schrieb Peilin Ye:
> > Compiler leaves a 4-byte hole near the end of `dev_info`, causing
> > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace
> > when `size` is greater than 356.
> >
> > In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which
> > unfortunately does not initialize that 4-byte hole. Fix it by using
> > memset() instead.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()")
> > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
> > Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>
>
> I can't count how many of those we have fixed over the years.
>
> At some point we should probably document that using "= {}" or "= { 0 }"
> in the kernel is a really bad idea and should be avoided.
>
> Thanks,
> Christian.
>
> > ---
> > $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o
> > struct drm_amdgpu_info_device {
> > __u32 device_id; /* 0 4 */
> > __u32 chip_rev; /* 4 4 */
> > __u32 external_rev; /* 8 4 */
> > __u32 pci_rev; /* 12 4 */
> > __u32 family; /* 16 4 */
> > __u32 num_shader_engines; /* 20 4 */
> > __u32 num_shader_arrays_per_engine; /* 24 4 */
> > __u32 gpu_counter_freq; /* 28 4 */
> > __u64 max_engine_clock; /* 32 8 */
> > __u64 max_memory_clock; /* 40 8 */
> > __u32 cu_active_number; /* 48 4 */
> > __u32 cu_ao_mask; /* 52 4 */
> > __u32 cu_bitmap[4][4]; /* 56 64 */
> > /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */
> > __u32 enabled_rb_pipes_mask; /* 120 4 */
> > __u32 num_rb_pipes; /* 124 4 */
> > /* --- cacheline 2 boundary (128 bytes) --- */
> > __u32 num_hw_gfx_contexts; /* 128 4 */
> > __u32 _pad; /* 132 4 */
> > __u64 ids_flags; /* 136 8 */
> > __u64 virtual_address_offset; /* 144 8 */
> > __u64 virtual_address_max; /* 152 8 */
> > __u32 virtual_address_alignment; /* 160 4 */
> > __u32 pte_fragment_size; /* 164 4 */
> > __u32 gart_page_size; /* 168 4 */
> > __u32 ce_ram_size; /* 172 4 */
> > __u32 vram_type; /* 176 4 */
> > __u32 vram_bit_width; /* 180 4 */
> > __u32 vce_harvest_config; /* 184 4 */
> > __u32 gc_double_offchip_lds_buf; /* 188 4 */
> > /* --- cacheline 3 boundary (192 bytes) --- */
> > __u64 prim_buf_gpu_addr; /* 192 8 */
> > __u64 pos_buf_gpu_addr; /* 200 8 */
> > __u64 cntl_sb_buf_gpu_addr; /* 208 8 */
> > __u64 param_buf_gpu_addr; /* 216 8 */
> > __u32 prim_buf_size; /* 224 4 */
> > __u32 pos_buf_size; /* 228 4 */
> > __u32 cntl_sb_buf_size; /* 232 4 */
> > __u32 param_buf_size; /* 236 4 */
> > __u32 wave_front_size; /* 240 4 */
> > __u32 num_shader_visible_vgprs; /* 244 4 */
> > __u32 num_cu_per_sh; /* 248 4 */
> > __u32 num_tcc_blocks; /* 252 4 */
> > /* --- cacheline 4 boundary (256 bytes) --- */
> > __u32 gs_vgt_table_depth; /* 256 4 */
> > __u32 gs_prim_buffer_depth; /* 260 4 */
> > __u32 max_gs_waves_per_vgt; /* 264 4 */
> > __u32 _pad1; /* 268 4 */
> > __u32 cu_ao_bitmap[4][4]; /* 272 64 */
> > /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
> > __u64 high_va_offset; /* 336 8 */
> > __u64 high_va_max; /* 344 8 */
> > __u32 pa_sc_tile_steering_override; /* 352 4 */
> >
> > /* XXX 4 bytes hole, try to pack */
> >
> > __u64 tcc_disabled_mask; /* 360 8 */
> >
> > /* size: 368, cachelines: 6, members: 49 */
> > /* sum members: 364, holes: 1, sum holes: 4 */
> > /* last cacheline: 48 bytes */
> > };
> >
> > drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > index a8c47aecd342..0047da06041f 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file
> > return n ? -EFAULT : 0;
> > }
> > case AMDGPU_INFO_DEV_INFO: {
> > - struct drm_amdgpu_info_device dev_info = {};
> > + struct drm_amdgpu_info_device dev_info;
> > uint64_t vm_size;
> >
> > + memset(&dev_info, 0, sizeof(dev_info));
> > dev_info.device_id = dev->pdev->device;
> > dev_info.chip_rev = adev->rev_id;
> > dev_info.external_rev = adev->external_rev_id;
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Alex Deucher <alexdeucher@gmail.com>
To: Christian Koenig <christian.koenig@amd.com>
Cc: "Xiaojie Yuan" <xiaojie.yuan@amd.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Arnd Bergmann" <arnd@arndb.de>,
"David Airlie" <airlied@linux.ie>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
"amd-gfx list" <amd-gfx@lists.freedesktop.org>,
"Nicholas Kazlauskas" <nicholas.kazlauskas@amd.com>,
"Marek Olšák" <marek.olsak@amd.com>,
"Hans de Goede" <hdegoede@redhat.com>, Trek <trek00@inbox.ru>,
"Maling list - DRI developers" <dri-devel@lists.freedesktop.org>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Evan Quan" <evan.quan@amd.com>, "Leo Liu" <leo.liu@amd.com>,
"Peilin Ye" <yepeilin.cs@gmail.com>,
"Dan Carpenter" <dan.carpenter@oracle.com>,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
Date: Wed, 29 Jul 2020 17:55:42 -0400 [thread overview]
Message-ID: <CADnq5_Pzz5A4kRyF061K+0hjsBEe7GT6j3zrfKZUrbjGcy1GBQ@mail.gmail.com> (raw)
In-Reply-To: <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com>
Applied. Thanks!
Alex
On Wed, Jul 29, 2020 at 4:11 AM Christian König
<ckoenig.leichtzumerken@gmail.com> wrote:
>
> Am 28.07.20 um 21:29 schrieb Peilin Ye:
> > Compiler leaves a 4-byte hole near the end of `dev_info`, causing
> > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace
> > when `size` is greater than 356.
> >
> > In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which
> > unfortunately does not initialize that 4-byte hole. Fix it by using
> > memset() instead.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()")
> > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
> > Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
>
> Reviewed-by: Christian König <christian.koenig@amd.com>
>
> I can't count how many of those we have fixed over the years.
>
> At some point we should probably document that using "= {}" or "= { 0 }"
> in the kernel is a really bad idea and should be avoided.
>
> Thanks,
> Christian.
>
> > ---
> > $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o
> > struct drm_amdgpu_info_device {
> > __u32 device_id; /* 0 4 */
> > __u32 chip_rev; /* 4 4 */
> > __u32 external_rev; /* 8 4 */
> > __u32 pci_rev; /* 12 4 */
> > __u32 family; /* 16 4 */
> > __u32 num_shader_engines; /* 20 4 */
> > __u32 num_shader_arrays_per_engine; /* 24 4 */
> > __u32 gpu_counter_freq; /* 28 4 */
> > __u64 max_engine_clock; /* 32 8 */
> > __u64 max_memory_clock; /* 40 8 */
> > __u32 cu_active_number; /* 48 4 */
> > __u32 cu_ao_mask; /* 52 4 */
> > __u32 cu_bitmap[4][4]; /* 56 64 */
> > /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */
> > __u32 enabled_rb_pipes_mask; /* 120 4 */
> > __u32 num_rb_pipes; /* 124 4 */
> > /* --- cacheline 2 boundary (128 bytes) --- */
> > __u32 num_hw_gfx_contexts; /* 128 4 */
> > __u32 _pad; /* 132 4 */
> > __u64 ids_flags; /* 136 8 */
> > __u64 virtual_address_offset; /* 144 8 */
> > __u64 virtual_address_max; /* 152 8 */
> > __u32 virtual_address_alignment; /* 160 4 */
> > __u32 pte_fragment_size; /* 164 4 */
> > __u32 gart_page_size; /* 168 4 */
> > __u32 ce_ram_size; /* 172 4 */
> > __u32 vram_type; /* 176 4 */
> > __u32 vram_bit_width; /* 180 4 */
> > __u32 vce_harvest_config; /* 184 4 */
> > __u32 gc_double_offchip_lds_buf; /* 188 4 */
> > /* --- cacheline 3 boundary (192 bytes) --- */
> > __u64 prim_buf_gpu_addr; /* 192 8 */
> > __u64 pos_buf_gpu_addr; /* 200 8 */
> > __u64 cntl_sb_buf_gpu_addr; /* 208 8 */
> > __u64 param_buf_gpu_addr; /* 216 8 */
> > __u32 prim_buf_size; /* 224 4 */
> > __u32 pos_buf_size; /* 228 4 */
> > __u32 cntl_sb_buf_size; /* 232 4 */
> > __u32 param_buf_size; /* 236 4 */
> > __u32 wave_front_size; /* 240 4 */
> > __u32 num_shader_visible_vgprs; /* 244 4 */
> > __u32 num_cu_per_sh; /* 248 4 */
> > __u32 num_tcc_blocks; /* 252 4 */
> > /* --- cacheline 4 boundary (256 bytes) --- */
> > __u32 gs_vgt_table_depth; /* 256 4 */
> > __u32 gs_prim_buffer_depth; /* 260 4 */
> > __u32 max_gs_waves_per_vgt; /* 264 4 */
> > __u32 _pad1; /* 268 4 */
> > __u32 cu_ao_bitmap[4][4]; /* 272 64 */
> > /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
> > __u64 high_va_offset; /* 336 8 */
> > __u64 high_va_max; /* 344 8 */
> > __u32 pa_sc_tile_steering_override; /* 352 4 */
> >
> > /* XXX 4 bytes hole, try to pack */
> >
> > __u64 tcc_disabled_mask; /* 360 8 */
> >
> > /* size: 368, cachelines: 6, members: 49 */
> > /* sum members: 364, holes: 1, sum holes: 4 */
> > /* last cacheline: 48 bytes */
> > };
> >
> > drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > index a8c47aecd342..0047da06041f 100644
> > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
> > @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file
> > return n ? -EFAULT : 0;
> > }
> > case AMDGPU_INFO_DEV_INFO: {
> > - struct drm_amdgpu_info_device dev_info = {};
> > + struct drm_amdgpu_info_device dev_info;
> > uint64_t vm_size;
> >
> > + memset(&dev_info, 0, sizeof(dev_info));
> > dev_info.device_id = dev->pdev->device;
> > dev_info.chip_rev = adev->rev_id;
> > dev_info.external_rev = adev->external_rev_id;
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
next prev parent reply other threads:[~2020-07-29 21:55 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-28 19:29 [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Peilin Ye
2020-07-28 19:29 ` Peilin Ye
2020-07-28 19:29 ` Peilin Ye
2020-07-28 19:29 ` Peilin Ye
2020-07-29 8:11 ` Christian König
2020-07-29 8:11 ` Christian König
2020-07-29 8:11 ` Christian König
2020-07-29 8:11 ` Christian König
2020-07-29 9:00 ` Daniel Vetter
2020-07-29 9:00 ` Daniel Vetter
2020-07-29 9:00 ` Daniel Vetter
2020-07-29 9:00 ` Daniel Vetter
2020-07-29 13:49 ` Alex Deucher
2020-07-29 13:49 ` Alex Deucher
2020-07-29 13:49 ` Alex Deucher
2020-07-29 13:49 ` Alex Deucher
2020-07-30 21:09 ` Luben Tuikov
2020-07-30 21:09 ` Luben Tuikov
2020-07-30 21:09 ` Luben Tuikov
2020-07-30 21:09 ` Luben Tuikov
2020-07-31 6:53 ` Greg Kroah-Hartman
2020-07-31 6:53 ` Greg Kroah-Hartman
2020-07-31 6:53 ` Greg Kroah-Hartman
2020-07-31 6:53 ` Greg Kroah-Hartman
2020-07-31 6:57 ` Christian König
2020-07-31 6:57 ` Christian König
2020-07-31 6:57 ` Christian König
2020-07-31 6:57 ` Christian König
2020-07-31 7:10 ` Greg Kroah-Hartman
2020-07-31 7:10 ` Greg Kroah-Hartman
2020-07-31 7:10 ` Greg Kroah-Hartman
2020-07-31 7:10 ` Greg Kroah-Hartman
2020-07-31 7:57 ` Christian König
2020-07-31 7:57 ` Christian König
2020-07-31 7:57 ` Christian König
2020-07-31 7:57 ` Christian König
2020-07-31 7:34 ` Arnd Bergmann
2020-07-31 7:34 ` Arnd Bergmann
2020-07-31 7:34 ` Arnd Bergmann
2020-07-31 7:34 ` Arnd Bergmann
2020-07-29 21:55 ` Alex Deucher [this message]
2020-07-29 21:55 ` Alex Deucher
2020-07-29 21:55 ` Alex Deucher
2020-07-29 21:55 ` Alex Deucher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADnq5_Pzz5A4kRyF061K+0hjsBEe7GT6j3zrfKZUrbjGcy1GBQ@mail.gmail.com \
--to=alexdeucher@gmail.com \
--cc=Felix.Kuehling@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=arnd@arndb.de \
--cc=christian.koenig@amd.com \
--cc=dan.carpenter@oracle.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=evan.quan@amd.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=leo.liu@amd.com \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marek.olsak@amd.com \
--cc=nicholas.kazlauskas@amd.com \
--cc=trek00@inbox.ru \
--cc=tzimmermann@suse.de \
--cc=xiaojie.yuan@amd.com \
--cc=yepeilin.cs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.