From: Arnd Bergmann <arnd@arndb.de>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Joe Perches <joe@perches.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Andrea Righi <righi.andrea@gmail.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Sam Ravnborg <sam@ravnborg.org>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Peter Rosin <peda@axentia.se>, Gerd Hoffmann <kraxel@redhat.com>,
dri-devel <dri-devel@lists.freedesktop.org>,
Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
kernel-janitors@vger.kernel.org, security@kernel.org,
Kees Cook <keescook@chromium.org>,
Julia Lawall <Julia.Lawall@lip6.fr>
Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
Date: Mon, 13 Jan 2020 13:49:30 +0100 [thread overview]
Message-ID: <CAK8P3a2uLm9pJtx42qDXJSdD71-dVW6+iDcRAnEB85Ajak-HLw@mail.gmail.com> (raw)
In-Reply-To: <fd4e6f01-074b-def7-7ffb-9a9197930c31@samsung.com>
On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz
<b.zolnierkie@samsung.com> wrote:
> On 10/29/19 8:02 PM, Eric W. Biederman wrote:
> >
> > The goal is to avoid memory that has values of the previous users of
> > that memory region from leaking to userspace. Which depending on who
> > the previous user of that memory region is could tell userspace
> > information about what the kernel is doing that it should not be allowed
> > to find out.
> >
> > I tried to trace through where "info" and thus presumably "info->fix" is
> > coming from and only made it as far as register_framebuffer. Given
>
> "info" (and thus "info->fix") comes from framebuffer_alloc() (which is
> called by fbdev device drivers prior to registering "info" with
> register_framebuffer()). framebuffer_alloc() does kzalloc() on "info".
>
> Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough?
Is it guaranteed that all drivers call framebuffer_alloc() rather than
open-coding it somewhere?
Here is a list of all files that call register_framebuffer() without first
calling framebuffer_alloc:
$ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc
Documentation/fb/framebuffer.rst
drivers/media/pci/ivtv/ivtvfb.c
drivers/media/platform/vivid/vivid-osd.c
drivers/video/fbdev/68328fb.c
drivers/video/fbdev/acornfb.c
drivers/video/fbdev/amba-clcd.c
drivers/video/fbdev/atafb.c
drivers/video/fbdev/au1100fb.c
drivers/video/fbdev/controlfb.c
drivers/video/fbdev/core/fbmem.c
drivers/video/fbdev/cyber2000fb.c
drivers/video/fbdev/fsl-diu-fb.c
drivers/video/fbdev/g364fb.c
drivers/video/fbdev/goldfishfb.c
drivers/video/fbdev/hpfb.c
drivers/video/fbdev/macfb.c
drivers/video/fbdev/matrox/matroxfb_base.c
drivers/video/fbdev/matrox/matroxfb_crtc2.c
drivers/video/fbdev/maxinefb.c
drivers/video/fbdev/ocfb.c
drivers/video/fbdev/pxafb.c
drivers/video/fbdev/sa1100fb.c
drivers/video/fbdev/stifb.c
drivers/video/fbdev/valkyriefb.c
drivers/video/fbdev/vermilion/vermilion.c
drivers/video/fbdev/vt8500lcdfb.c
drivers/video/fbdev/wm8505fb.c
drivers/video/fbdev/xilinxfb.c
It's possible (even likely, the ones I looked at are fine) that they
all correctly
zero out the fb_info structure first, but it seems hard to guarantee, so
Eric's suggestion would possibly still be the safer choice.
Arnd
WARNING: multiple messages have this Message-ID (diff)
From: Arnd Bergmann <arnd@arndb.de>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
security@kernel.org, Gerd Hoffmann <kraxel@redhat.com>,
Kees Cook <keescook@chromium.org>,
kernel-janitors@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
Julia Lawall <Julia.Lawall@lip6.fr>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Joe Perches <joe@perches.com>, Sam Ravnborg <sam@ravnborg.org>,
Peter Rosin <peda@axentia.se>,
Dan Carpenter <dan.carpenter@oracle.com>,
Andrea Righi <righi.andrea@gmail.com>
Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
Date: Mon, 13 Jan 2020 12:49:30 +0000 [thread overview]
Message-ID: <CAK8P3a2uLm9pJtx42qDXJSdD71-dVW6+iDcRAnEB85Ajak-HLw@mail.gmail.com> (raw)
In-Reply-To: <fd4e6f01-074b-def7-7ffb-9a9197930c31@samsung.com>
On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz
<b.zolnierkie@samsung.com> wrote:
> On 10/29/19 8:02 PM, Eric W. Biederman wrote:
> >
> > The goal is to avoid memory that has values of the previous users of
> > that memory region from leaking to userspace. Which depending on who
> > the previous user of that memory region is could tell userspace
> > information about what the kernel is doing that it should not be allowed
> > to find out.
> >
> > I tried to trace through where "info" and thus presumably "info->fix" is
> > coming from and only made it as far as register_framebuffer. Given
>
> "info" (and thus "info->fix") comes from framebuffer_alloc() (which is
> called by fbdev device drivers prior to registering "info" with
> register_framebuffer()). framebuffer_alloc() does kzalloc() on "info".
>
> Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough?
Is it guaranteed that all drivers call framebuffer_alloc() rather than
open-coding it somewhere?
Here is a list of all files that call register_framebuffer() without first
calling framebuffer_alloc:
$ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc
Documentation/fb/framebuffer.rst
drivers/media/pci/ivtv/ivtvfb.c
drivers/media/platform/vivid/vivid-osd.c
drivers/video/fbdev/68328fb.c
drivers/video/fbdev/acornfb.c
drivers/video/fbdev/amba-clcd.c
drivers/video/fbdev/atafb.c
drivers/video/fbdev/au1100fb.c
drivers/video/fbdev/controlfb.c
drivers/video/fbdev/core/fbmem.c
drivers/video/fbdev/cyber2000fb.c
drivers/video/fbdev/fsl-diu-fb.c
drivers/video/fbdev/g364fb.c
drivers/video/fbdev/goldfishfb.c
drivers/video/fbdev/hpfb.c
drivers/video/fbdev/macfb.c
drivers/video/fbdev/matrox/matroxfb_base.c
drivers/video/fbdev/matrox/matroxfb_crtc2.c
drivers/video/fbdev/maxinefb.c
drivers/video/fbdev/ocfb.c
drivers/video/fbdev/pxafb.c
drivers/video/fbdev/sa1100fb.c
drivers/video/fbdev/stifb.c
drivers/video/fbdev/valkyriefb.c
drivers/video/fbdev/vermilion/vermilion.c
drivers/video/fbdev/vt8500lcdfb.c
drivers/video/fbdev/wm8505fb.c
drivers/video/fbdev/xilinxfb.c
It's possible (even likely, the ones I looked at are fine) that they
all correctly
zero out the fb_info structure first, but it seems hard to guarantee, so
Eric's suggestion would possibly still be the safer choice.
Arnd
WARNING: multiple messages have this Message-ID (diff)
From: Arnd Bergmann <arnd@arndb.de>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Linux Fbdev development list <linux-fbdev@vger.kernel.org>,
security@kernel.org, Gerd Hoffmann <kraxel@redhat.com>,
Kees Cook <keescook@chromium.org>,
kernel-janitors@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
dri-devel <dri-devel@lists.freedesktop.org>,
Julia Lawall <Julia.Lawall@lip6.fr>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Joe Perches <joe@perches.com>, Sam Ravnborg <sam@ravnborg.org>,
Peter Rosin <peda@axentia.se>,
Dan Carpenter <dan.carpenter@oracle.com>,
Andrea Righi <righi.andrea@gmail.com>
Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
Date: Mon, 13 Jan 2020 13:49:30 +0100 [thread overview]
Message-ID: <CAK8P3a2uLm9pJtx42qDXJSdD71-dVW6+iDcRAnEB85Ajak-HLw@mail.gmail.com> (raw)
In-Reply-To: <fd4e6f01-074b-def7-7ffb-9a9197930c31@samsung.com>
On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz
<b.zolnierkie@samsung.com> wrote:
> On 10/29/19 8:02 PM, Eric W. Biederman wrote:
> >
> > The goal is to avoid memory that has values of the previous users of
> > that memory region from leaking to userspace. Which depending on who
> > the previous user of that memory region is could tell userspace
> > information about what the kernel is doing that it should not be allowed
> > to find out.
> >
> > I tried to trace through where "info" and thus presumably "info->fix" is
> > coming from and only made it as far as register_framebuffer. Given
>
> "info" (and thus "info->fix") comes from framebuffer_alloc() (which is
> called by fbdev device drivers prior to registering "info" with
> register_framebuffer()). framebuffer_alloc() does kzalloc() on "info".
>
> Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough?
Is it guaranteed that all drivers call framebuffer_alloc() rather than
open-coding it somewhere?
Here is a list of all files that call register_framebuffer() without first
calling framebuffer_alloc:
$ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc
Documentation/fb/framebuffer.rst
drivers/media/pci/ivtv/ivtvfb.c
drivers/media/platform/vivid/vivid-osd.c
drivers/video/fbdev/68328fb.c
drivers/video/fbdev/acornfb.c
drivers/video/fbdev/amba-clcd.c
drivers/video/fbdev/atafb.c
drivers/video/fbdev/au1100fb.c
drivers/video/fbdev/controlfb.c
drivers/video/fbdev/core/fbmem.c
drivers/video/fbdev/cyber2000fb.c
drivers/video/fbdev/fsl-diu-fb.c
drivers/video/fbdev/g364fb.c
drivers/video/fbdev/goldfishfb.c
drivers/video/fbdev/hpfb.c
drivers/video/fbdev/macfb.c
drivers/video/fbdev/matrox/matroxfb_base.c
drivers/video/fbdev/matrox/matroxfb_crtc2.c
drivers/video/fbdev/maxinefb.c
drivers/video/fbdev/ocfb.c
drivers/video/fbdev/pxafb.c
drivers/video/fbdev/sa1100fb.c
drivers/video/fbdev/stifb.c
drivers/video/fbdev/valkyriefb.c
drivers/video/fbdev/vermilion/vermilion.c
drivers/video/fbdev/vt8500lcdfb.c
drivers/video/fbdev/wm8505fb.c
drivers/video/fbdev/xilinxfb.c
It's possible (even likely, the ones I looked at are fine) that they
all correctly
zero out the fb_info structure first, but it seems hard to guarantee, so
Eric's suggestion would possibly still be the safer choice.
Arnd
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-01-13 12:49 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-29 18:23 [PATCH] fbdev: potential information leak in do_fb_ioctl() Dan Carpenter
2019-10-29 18:23 ` Dan Carpenter
2019-10-29 18:23 ` Dan Carpenter
2019-10-29 18:35 ` Joe Perches
2019-10-29 18:35 ` Joe Perches
2019-10-29 18:35 ` Joe Perches
2019-10-29 19:02 ` Eric W. Biederman
2019-10-29 19:02 ` Eric W. Biederman
2019-10-29 19:02 ` Eric W. Biederman
2019-10-30 7:43 ` Andrea Righi
2019-10-30 7:43 ` Andrea Righi
2019-10-30 7:43 ` Andrea Righi
2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 20:12 ` Andrea Righi
2019-10-30 20:12 ` Andrea Righi
2019-10-30 20:12 ` Andrea Righi
2019-10-31 18:16 ` Joe Perches
2019-10-31 18:16 ` Joe Perches
2019-10-31 18:16 ` Joe Perches
2019-10-31 22:12 ` Eric W. Biederman
2019-10-31 22:12 ` Eric W. Biederman
2019-10-31 22:12 ` Eric W. Biederman
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2020-01-13 11:08 ` [PATCH v2] " Dan Carpenter
2020-01-13 11:08 ` Dan Carpenter
2020-01-13 11:08 ` Dan Carpenter
2020-01-15 14:31 ` Bartlomiej Zolnierkiewicz
2020-01-15 14:31 ` Bartlomiej Zolnierkiewicz
2020-01-15 14:31 ` Bartlomiej Zolnierkiewicz
2020-01-13 12:49 ` Arnd Bergmann [this message]
2020-01-13 12:49 ` [PATCH] " Arnd Bergmann
2020-01-13 12:49 ` Arnd Bergmann
2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
2020-01-15 13:16 ` Arnd Bergmann
2020-01-15 13:16 ` Arnd Bergmann
2020-01-15 13:16 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAK8P3a2uLm9pJtx42qDXJSdD71-dVW6+iDcRAnEB85Ajak-HLw@mail.gmail.com \
--to=arnd@arndb.de \
--cc=Julia.Lawall@lip6.fr \
--cc=b.zolnierkie@samsung.com \
--cc=dan.carpenter@oracle.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=ebiederm@xmission.com \
--cc=joe@perches.com \
--cc=keescook@chromium.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=kraxel@redhat.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=peda@axentia.se \
--cc=righi.andrea@gmail.com \
--cc=sam@ravnborg.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.