* [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure
@ 2017-01-09 13:27 Vlad Tsyrklevich
2017-01-26 8:54 ` Vlad Tsyrklevich
0 siblings, 1 reply; 4+ messages in thread
From: Vlad Tsyrklevich @ 2017-01-09 13:27 UTC (permalink / raw)
To: cluster-devel.redhat.com
Clear the 'unused' field to avoid leaking memory to userland in
copy_result_to_user().
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
---
fs/dlm/user.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 1ce908c..0570711 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -138,6 +138,8 @@ static void compat_output(struct dlm_lock_result *res,
res32->lksb.sb_flags = res->lksb.sb_flags;
res32->lksb.sb_lkid = res->lksb.sb_lkid;
res32->lksb.sb_lvbptr = (__u32)(long)res->lksb.sb_lvbptr;
+
+ memset(&res32->unused, 0, sizeof(res32->unused));
}
#endif
--
2.7.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure
2017-01-09 13:27 [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure Vlad Tsyrklevich
@ 2017-01-26 8:54 ` Vlad Tsyrklevich
2017-01-26 10:54 ` Steven Whitehouse
0 siblings, 1 reply; 4+ messages in thread
From: Vlad Tsyrklevich @ 2017-01-26 8:54 UTC (permalink / raw)
To: cluster-devel.redhat.com
Hello, I wanted to ping the list and see if this could get a review.
On Mon, Jan 9, 2017 at 8:27 PM, Vlad Tsyrklevich <vlad@tsyrklevich.net> wrote:
> Clear the 'unused' field to avoid leaking memory to userland in
> copy_result_to_user().
>
> Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
> ---
> fs/dlm/user.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/dlm/user.c b/fs/dlm/user.c
> index 1ce908c..0570711 100644
> --- a/fs/dlm/user.c
> +++ b/fs/dlm/user.c
> @@ -138,6 +138,8 @@ static void compat_output(struct dlm_lock_result *res,
> res32->lksb.sb_flags = res->lksb.sb_flags;
> res32->lksb.sb_lkid = res->lksb.sb_lkid;
> res32->lksb.sb_lvbptr = (__u32)(long)res->lksb.sb_lvbptr;
> +
> + memset(&res32->unused, 0, sizeof(res32->unused));
> }
> #endif
>
> --
> 2.7.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure
2017-01-26 8:54 ` Vlad Tsyrklevich
@ 2017-01-26 10:54 ` Steven Whitehouse
2017-02-02 16:58 ` Vlad Tsyrklevich
0 siblings, 1 reply; 4+ messages in thread
From: Steven Whitehouse @ 2017-01-26 10:54 UTC (permalink / raw)
To: cluster-devel.redhat.com
Hi,
On 26/01/17 08:54, Vlad Tsyrklevich wrote:
> Hello, I wanted to ping the list and see if this could get a review.
>
> On Mon, Jan 9, 2017 at 8:27 PM, Vlad Tsyrklevich <vlad@tsyrklevich.net> wrote:
>> Clear the 'unused' field to avoid leaking memory to userland in
>> copy_result_to_user().
>>
>> Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
>> ---
>> fs/dlm/user.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/fs/dlm/user.c b/fs/dlm/user.c
>> index 1ce908c..0570711 100644
>> --- a/fs/dlm/user.c
>> +++ b/fs/dlm/user.c
>> @@ -138,6 +138,8 @@ static void compat_output(struct dlm_lock_result *res,
>> res32->lksb.sb_flags = res->lksb.sb_flags;
>> res32->lksb.sb_lkid = res->lksb.sb_lkid;
>> res32->lksb.sb_lvbptr = (__u32)(long)res->lksb.sb_lvbptr;
>> +
>> + memset(&res32->unused, 0, sizeof(res32->unused));
>> }
>> #endif
>>
>> --
>> 2.7.0
>>
It looks like struct dlm_lksb32 has a hole in it, so it would be safer
just to zero the whole of the dlm_lock_result32 before it is written to,
rather than trying to find all the holes individually, even if slightly
slower (I'm not sure it would be noticeable in reality though)
Steve.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure
2017-01-26 10:54 ` Steven Whitehouse
@ 2017-02-02 16:58 ` Vlad Tsyrklevich
0 siblings, 0 replies; 4+ messages in thread
From: Vlad Tsyrklevich @ 2017-02-02 16:58 UTC (permalink / raw)
To: cluster-devel.redhat.com
You're right, thanks for double checking that logic! I've just sent an
updated patch to the list.
On Thu, Jan 26, 2017 at 5:54 PM Steven Whitehouse <swhiteho@redhat.com> wrote:
>
> Hi,
>
>
> On 26/01/17 08:54, Vlad Tsyrklevich wrote:
> > Hello, I wanted to ping the list and see if this could get a review.
> >
> > On Mon, Jan 9, 2017 at 8:27 PM, Vlad Tsyrklevich <vlad@tsyrklevich.net> wrote:
> >> Clear the 'unused' field to avoid leaking memory to userland in
> >> copy_result_to_user().
> >>
> >> Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
> >> ---
> >> fs/dlm/user.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/fs/dlm/user.c b/fs/dlm/user.c
> >> index 1ce908c..0570711 100644
> >> --- a/fs/dlm/user.c
> >> +++ b/fs/dlm/user.c
> >> @@ -138,6 +138,8 @@ static void compat_output(struct dlm_lock_result *res,
> >> res32->lksb.sb_flags = res->lksb.sb_flags;
> >> res32->lksb.sb_lkid = res->lksb.sb_lkid;
> >> res32->lksb.sb_lvbptr = (__u32)(long)res->lksb.sb_lvbptr;
> >> +
> >> + memset(&res32->unused, 0, sizeof(res32->unused));
> >> }
> >> #endif
> >>
> >> --
> >> 2.7.0
> >>
> It looks like struct dlm_lksb32 has a hole in it, so it would be safer
> just to zero the whole of the dlm_lock_result32 before it is written to,
> rather than trying to find all the holes individually, even if slightly
> slower (I'm not sure it would be noticeable in reality though)
>
> Steve.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-02-02 16:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-09 13:27 [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure Vlad Tsyrklevich
2017-01-26 8:54 ` Vlad Tsyrklevich
2017-01-26 10:54 ` Steven Whitehouse
2017-02-02 16:58 ` Vlad Tsyrklevich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.