All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request()
@ 2021-01-13  8:16 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2021-01-13  8:16 UTC (permalink / raw)
  To: Maximilian Luz
  Cc: Hans de Goede, Mark Gross, platform-driver-x86, kernel-janitors

If copy_struct_from_user() fails at the start of the function then this
function calls put_user(rsp.length, &r->response.length) before
"rsp.length" is set to zero.  That is a potential security issue because
it discloses kernel stack data to user space.

Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/platform/surface/surface_aggregator_cdev.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
index 340d15b148b9..05e9eb118d76 100644
--- a/drivers/platform/surface/surface_aggregator_cdev.c
+++ b/drivers/platform/surface/surface_aggregator_cdev.c
@@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
 	struct ssam_cdev_request __user *r;
 	struct ssam_cdev_request rqst;
 	struct ssam_request spec;
-	struct ssam_response rsp;
+	struct ssam_response rsp = {};
 	const void __user *plddata;
 	void __user *rspdata;
 	int status = 0, ret = 0, tmp;
@@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
 		spec.flags |= SSAM_REQUEST_UNSEQUENCED;
 
 	rsp.capacity = rqst.response.length;
-	rsp.length = 0;
-	rsp.pointer = NULL;
 
 	/* Get request payload from user-space. */
 	if (spec.length) {
-- 
2.29.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request()
@ 2021-01-13  8:16 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2021-01-13  8:16 UTC (permalink / raw)
  To: Maximilian Luz
  Cc: Hans de Goede, Mark Gross, platform-driver-x86, kernel-janitors

If copy_struct_from_user() fails at the start of the function then this
function calls put_user(rsp.length, &r->response.length) before
"rsp.length" is set to zero.  That is a potential security issue because
it discloses kernel stack data to user space.

Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/platform/surface/surface_aggregator_cdev.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
index 340d15b148b9..05e9eb118d76 100644
--- a/drivers/platform/surface/surface_aggregator_cdev.c
+++ b/drivers/platform/surface/surface_aggregator_cdev.c
@@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
 	struct ssam_cdev_request __user *r;
 	struct ssam_cdev_request rqst;
 	struct ssam_request spec;
-	struct ssam_response rsp;
+	struct ssam_response rsp = {};
 	const void __user *plddata;
 	void __user *rspdata;
 	int status = 0, ret = 0, tmp;
@@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
 		spec.flags |= SSAM_REQUEST_UNSEQUENCED;
 
 	rsp.capacity = rqst.response.length;
-	rsp.length = 0;
-	rsp.pointer = NULL;
 
 	/* Get request payload from user-space. */
 	if (spec.length) {
-- 
2.29.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request()
  2021-01-13  8:16 ` Dan Carpenter
@ 2021-01-13  9:29   ` Hans de Goede
  -1 siblings, 0 replies; 4+ messages in thread
From: Hans de Goede @ 2021-01-13  9:29 UTC (permalink / raw)
  To: Dan Carpenter, Maximilian Luz
  Cc: Mark Gross, platform-driver-x86, kernel-janitors

Hi,

On 1/13/21 9:16 AM, Dan Carpenter wrote:
> If copy_struct_from_user() fails at the start of the function then this
> function calls put_user(rsp.length, &r->response.length) before
> "rsp.length" is set to zero.  That is a potential security issue because
> it discloses kernel stack data to user space.
> 
> Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thank you for your patch, another fix for this was already submitted:
https://patchwork.kernel.org/project/platform-driver-x86/patch/20210111154851.325404-2-luzmaximilian@gmail.com/

So I'm dropping this patch from my queue.

Regards,

Hans



> ---
>  drivers/platform/surface/surface_aggregator_cdev.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
> index 340d15b148b9..05e9eb118d76 100644
> --- a/drivers/platform/surface/surface_aggregator_cdev.c
> +++ b/drivers/platform/surface/surface_aggregator_cdev.c
> @@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
>  	struct ssam_cdev_request __user *r;
>  	struct ssam_cdev_request rqst;
>  	struct ssam_request spec;
> -	struct ssam_response rsp;
> +	struct ssam_response rsp = {};
>  	const void __user *plddata;
>  	void __user *rspdata;
>  	int status = 0, ret = 0, tmp;
> @@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
>  		spec.flags |= SSAM_REQUEST_UNSEQUENCED;
>  
>  	rsp.capacity = rqst.response.length;
> -	rsp.length = 0;
> -	rsp.pointer = NULL;
>  
>  	/* Get request payload from user-space. */
>  	if (spec.length) {
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request()
@ 2021-01-13  9:29   ` Hans de Goede
  0 siblings, 0 replies; 4+ messages in thread
From: Hans de Goede @ 2021-01-13  9:29 UTC (permalink / raw)
  To: Dan Carpenter, Maximilian Luz
  Cc: Mark Gross, platform-driver-x86, kernel-janitors

Hi,

On 1/13/21 9:16 AM, Dan Carpenter wrote:
> If copy_struct_from_user() fails at the start of the function then this
> function calls put_user(rsp.length, &r->response.length) before
> "rsp.length" is set to zero.  That is a potential security issue because
> it discloses kernel stack data to user space.
> 
> Fixes: 178f6ab77e61 ("platform/surface: Add Surface Aggregator user-space interface")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thank you for your patch, another fix for this was already submitted:
https://patchwork.kernel.org/project/platform-driver-x86/patch/20210111154851.325404-2-luzmaximilian@gmail.com/

So I'm dropping this patch from my queue.

Regards,

Hans



> ---
>  drivers/platform/surface/surface_aggregator_cdev.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/drivers/platform/surface/surface_aggregator_cdev.c b/drivers/platform/surface/surface_aggregator_cdev.c
> index 340d15b148b9..05e9eb118d76 100644
> --- a/drivers/platform/surface/surface_aggregator_cdev.c
> +++ b/drivers/platform/surface/surface_aggregator_cdev.c
> @@ -67,7 +67,7 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
>  	struct ssam_cdev_request __user *r;
>  	struct ssam_cdev_request rqst;
>  	struct ssam_request spec;
> -	struct ssam_response rsp;
> +	struct ssam_response rsp = {};
>  	const void __user *plddata;
>  	void __user *rspdata;
>  	int status = 0, ret = 0, tmp;
> @@ -96,8 +96,6 @@ static long ssam_cdev_request(struct ssam_cdev *cdev, unsigned long arg)
>  		spec.flags |= SSAM_REQUEST_UNSEQUENCED;
>  
>  	rsp.capacity = rqst.response.length;
> -	rsp.length = 0;
> -	rsp.pointer = NULL;
>  
>  	/* Get request payload from user-space. */
>  	if (spec.length) {
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-01-13  9:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13  8:16 [PATCH] platform/surface: aggregator: prevent information leak in ssam_cdev_request() Dan Carpenter
2021-01-13  8:16 ` Dan Carpenter
2021-01-13  9:29 ` Hans de Goede
2021-01-13  9:29   ` Hans de Goede

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.