* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-29 19:02 ` Eric W. Biederman
@ 2019-10-29 19:02 ` Eric W. Biederman
2019-10-30 7:43 ` Andrea Righi
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2 siblings, 0 replies; 21+ messages in thread
From: Eric W. Biederman @ 2019-10-29 19:02 UTC (permalink / raw)
To: Dan Carpenter
Cc: linux-fbdev, security, Kees Cook, Bartlomiej Zolnierkiewicz,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Gerd Hoffmann, Sam Ravnborg, Peter Rosin,
Andrea Righi
Dan Carpenter <dan.carpenter@oracle.com> writes:
> The "fix" struct has a 2 byte hole after ->ywrapstep and the
> "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> on the compiler.
>
> Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I have 13 more similar places to patch... I'm not totally sure I
> understand all the issues involved.
What I have done in a similar situation with struct siginfo, is that
where the structure first appears I have initialized it with memset,
and then field by field.
Then when the structure is copied I copy the structure with memcpy.
That ensures all of the bytes in the original structure are initialized
and that all of the bytes are copied.
The goal is to avoid memory that has values of the previous users of
that memory region from leaking to userspace. Which depending on who
the previous user of that memory region is could tell userspace
information about what the kernel is doing that it should not be allowed
to find out.
I tried to trace through where "info" and thus presumably "info->fix" is
coming from and only made it as far as register_framebuffer. Given
that I suspect a local memset, and then a field by field copy right
before copy_to_user might be a sound solution. But ick. That is a lot
of fields to copy.
Eric
> drivers/video/fbdev/core/fbmem.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index 6f6fc785b545..b4ce6a28aed9 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> ret = -EFAULT;
> break;
> case FBIOGET_FSCREENINFO:
> + memset(&fix, 0, sizeof(fix));
> lock_fb_info(info);
> fix = info->fix;
> if (info->flags & FBINFO_HIDE_SMEM_START)
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-29 19:02 ` Eric W. Biederman
2019-10-29 19:02 ` Eric W. Biederman
@ 2019-10-30 7:43 ` Andrea Righi
2019-10-30 7:43 ` Andrea Righi
2019-10-30 19:26 ` Eric W. Biederman
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2 siblings, 2 replies; 21+ messages in thread
From: Andrea Righi @ 2019-10-30 7:43 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Dan Carpenter, Bartlomiej Zolnierkiewicz, Daniel Vetter,
Sam Ravnborg, Maarten Lankhorst, Peter Rosin, Gerd Hoffmann,
dri-devel, linux-fbdev, linux-kernel, kernel-janitors, security,
Kees Cook, Julia Lawall
On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
> Dan Carpenter <dan.carpenter@oracle.com> writes:
>
> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> > on the compiler.
> >
> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > I have 13 more similar places to patch... I'm not totally sure I
> > understand all the issues involved.
>
> What I have done in a similar situation with struct siginfo, is that
> where the structure first appears I have initialized it with memset,
> and then field by field.
>
> Then when the structure is copied I copy the structure with memcpy.
>
> That ensures all of the bytes in the original structure are initialized
> and that all of the bytes are copied.
>
> The goal is to avoid memory that has values of the previous users of
> that memory region from leaking to userspace. Which depending on who
> the previous user of that memory region is could tell userspace
> information about what the kernel is doing that it should not be allowed
> to find out.
>
> I tried to trace through where "info" and thus presumably "info->fix" is
> coming from and only made it as far as register_framebuffer. Given
> that I suspect a local memset, and then a field by field copy right
> before copy_to_user might be a sound solution. But ick. That is a lot
> of fields to copy.
I know it might sound quite inefficient, but what about making struct
fb_fix_screeninfo __packed?
This doesn't solve other potential similar issues, but for this
particular case it could be a reasonable and simple fix.
-Andrea
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-30 7:43 ` Andrea Righi
@ 2019-10-30 7:43 ` Andrea Righi
2019-10-30 19:26 ` Eric W. Biederman
1 sibling, 0 replies; 21+ messages in thread
From: Andrea Righi @ 2019-10-30 7:43 UTC (permalink / raw)
To: Eric W. Biederman
Cc: linux-fbdev, security, Kees Cook, Bartlomiej Zolnierkiewicz,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Gerd Hoffmann, Sam Ravnborg, Peter Rosin,
Dan Carpenter
On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
> Dan Carpenter <dan.carpenter@oracle.com> writes:
>
> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> > on the compiler.
> >
> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > I have 13 more similar places to patch... I'm not totally sure I
> > understand all the issues involved.
>
> What I have done in a similar situation with struct siginfo, is that
> where the structure first appears I have initialized it with memset,
> and then field by field.
>
> Then when the structure is copied I copy the structure with memcpy.
>
> That ensures all of the bytes in the original structure are initialized
> and that all of the bytes are copied.
>
> The goal is to avoid memory that has values of the previous users of
> that memory region from leaking to userspace. Which depending on who
> the previous user of that memory region is could tell userspace
> information about what the kernel is doing that it should not be allowed
> to find out.
>
> I tried to trace through where "info" and thus presumably "info->fix" is
> coming from and only made it as far as register_framebuffer. Given
> that I suspect a local memset, and then a field by field copy right
> before copy_to_user might be a sound solution. But ick. That is a lot
> of fields to copy.
I know it might sound quite inefficient, but what about making struct
fb_fix_screeninfo __packed?
This doesn't solve other potential similar issues, but for this
particular case it could be a reasonable and simple fix.
-Andrea
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-30 7:43 ` Andrea Righi
2019-10-30 7:43 ` Andrea Righi
@ 2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 20:12 ` Andrea Righi
1 sibling, 2 replies; 21+ messages in thread
From: Eric W. Biederman @ 2019-10-30 19:26 UTC (permalink / raw)
To: Andrea Righi
Cc: Dan Carpenter, Bartlomiej Zolnierkiewicz, Daniel Vetter,
Sam Ravnborg, Maarten Lankhorst, Peter Rosin, Gerd Hoffmann,
dri-devel, linux-fbdev, linux-kernel, kernel-janitors, security,
Kees Cook, Julia Lawall
Andrea Righi <andrea.righi@canonical.com> writes:
> On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
>> Dan Carpenter <dan.carpenter@oracle.com> writes:
>>
>> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
>> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
>> > on the compiler.
>> >
>> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > ---
>> > I have 13 more similar places to patch... I'm not totally sure I
>> > understand all the issues involved.
>>
>> What I have done in a similar situation with struct siginfo, is that
>> where the structure first appears I have initialized it with memset,
>> and then field by field.
>>
>> Then when the structure is copied I copy the structure with memcpy.
>>
>> That ensures all of the bytes in the original structure are initialized
>> and that all of the bytes are copied.
>>
>> The goal is to avoid memory that has values of the previous users of
>> that memory region from leaking to userspace. Which depending on who
>> the previous user of that memory region is could tell userspace
>> information about what the kernel is doing that it should not be allowed
>> to find out.
>>
>> I tried to trace through where "info" and thus presumably "info->fix" is
>> coming from and only made it as far as register_framebuffer. Given
>> that I suspect a local memset, and then a field by field copy right
>> before copy_to_user might be a sound solution. But ick. That is a lot
>> of fields to copy.
>
> I know it might sound quite inefficient, but what about making struct
> fb_fix_screeninfo __packed?
>
> This doesn't solve other potential similar issues, but for this
> particular case it could be a reasonable and simple fix.
It is part of the user space ABI. As such you can't move the fields.
Eric
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-30 19:26 ` Eric W. Biederman
@ 2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 20:12 ` Andrea Righi
1 sibling, 0 replies; 21+ messages in thread
From: Eric W. Biederman @ 2019-10-30 19:26 UTC (permalink / raw)
To: Andrea Righi
Cc: linux-fbdev, security, Kees Cook, Bartlomiej Zolnierkiewicz,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Gerd Hoffmann, Sam Ravnborg, Peter Rosin,
Dan Carpenter
Andrea Righi <andrea.righi@canonical.com> writes:
> On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
>> Dan Carpenter <dan.carpenter@oracle.com> writes:
>>
>> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
>> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
>> > on the compiler.
>> >
>> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > ---
>> > I have 13 more similar places to patch... I'm not totally sure I
>> > understand all the issues involved.
>>
>> What I have done in a similar situation with struct siginfo, is that
>> where the structure first appears I have initialized it with memset,
>> and then field by field.
>>
>> Then when the structure is copied I copy the structure with memcpy.
>>
>> That ensures all of the bytes in the original structure are initialized
>> and that all of the bytes are copied.
>>
>> The goal is to avoid memory that has values of the previous users of
>> that memory region from leaking to userspace. Which depending on who
>> the previous user of that memory region is could tell userspace
>> information about what the kernel is doing that it should not be allowed
>> to find out.
>>
>> I tried to trace through where "info" and thus presumably "info->fix" is
>> coming from and only made it as far as register_framebuffer. Given
>> that I suspect a local memset, and then a field by field copy right
>> before copy_to_user might be a sound solution. But ick. That is a lot
>> of fields to copy.
>
> I know it might sound quite inefficient, but what about making struct
> fb_fix_screeninfo __packed?
>
> This doesn't solve other potential similar issues, but for this
> particular case it could be a reasonable and simple fix.
It is part of the user space ABI. As such you can't move the fields.
Eric
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 19:26 ` Eric W. Biederman
@ 2019-10-30 20:12 ` Andrea Righi
2019-10-30 20:12 ` Andrea Righi
2019-10-31 18:16 ` Joe Perches
1 sibling, 2 replies; 21+ messages in thread
From: Andrea Righi @ 2019-10-30 20:12 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Dan Carpenter, Bartlomiej Zolnierkiewicz, Daniel Vetter,
Sam Ravnborg, Maarten Lankhorst, Peter Rosin, Gerd Hoffmann,
dri-devel, linux-fbdev, linux-kernel, kernel-janitors, security,
Kees Cook, Julia Lawall
On Wed, Oct 30, 2019 at 02:26:21PM -0500, Eric W. Biederman wrote:
> Andrea Righi <andrea.righi@canonical.com> writes:
>
> > On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
> >> Dan Carpenter <dan.carpenter@oracle.com> writes:
> >>
> >> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
> >> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> >> > on the compiler.
> >> >
> >> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> >> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >> > ---
> >> > I have 13 more similar places to patch... I'm not totally sure I
> >> > understand all the issues involved.
> >>
> >> What I have done in a similar situation with struct siginfo, is that
> >> where the structure first appears I have initialized it with memset,
> >> and then field by field.
> >>
> >> Then when the structure is copied I copy the structure with memcpy.
> >>
> >> That ensures all of the bytes in the original structure are initialized
> >> and that all of the bytes are copied.
> >>
> >> The goal is to avoid memory that has values of the previous users of
> >> that memory region from leaking to userspace. Which depending on who
> >> the previous user of that memory region is could tell userspace
> >> information about what the kernel is doing that it should not be allowed
> >> to find out.
> >>
> >> I tried to trace through where "info" and thus presumably "info->fix" is
> >> coming from and only made it as far as register_framebuffer. Given
> >> that I suspect a local memset, and then a field by field copy right
> >> before copy_to_user might be a sound solution. But ick. That is a lot
> >> of fields to copy.
> >
> > I know it might sound quite inefficient, but what about making struct
> > fb_fix_screeninfo __packed?
> >
> > This doesn't solve other potential similar issues, but for this
> > particular case it could be a reasonable and simple fix.
>
> It is part of the user space ABI. As such you can't move the fields.
>
> Eric
Oh, that's right! Then memset() + memcpy() is probably the best option,
since copying all those fields one by one looks quite ugly to me...
-Andrea
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-30 20:12 ` Andrea Righi
@ 2019-10-30 20:12 ` Andrea Righi
2019-10-31 18:16 ` Joe Perches
1 sibling, 0 replies; 21+ messages in thread
From: Andrea Righi @ 2019-10-30 20:12 UTC (permalink / raw)
To: Eric W. Biederman
Cc: linux-fbdev, security, Kees Cook, Bartlomiej Zolnierkiewicz,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Gerd Hoffmann, Sam Ravnborg, Peter Rosin,
Dan Carpenter
On Wed, Oct 30, 2019 at 02:26:21PM -0500, Eric W. Biederman wrote:
> Andrea Righi <andrea.righi@canonical.com> writes:
>
> > On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
> >> Dan Carpenter <dan.carpenter@oracle.com> writes:
> >>
> >> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
> >> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> >> > on the compiler.
> >> >
> >> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> >> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >> > ---
> >> > I have 13 more similar places to patch... I'm not totally sure I
> >> > understand all the issues involved.
> >>
> >> What I have done in a similar situation with struct siginfo, is that
> >> where the structure first appears I have initialized it with memset,
> >> and then field by field.
> >>
> >> Then when the structure is copied I copy the structure with memcpy.
> >>
> >> That ensures all of the bytes in the original structure are initialized
> >> and that all of the bytes are copied.
> >>
> >> The goal is to avoid memory that has values of the previous users of
> >> that memory region from leaking to userspace. Which depending on who
> >> the previous user of that memory region is could tell userspace
> >> information about what the kernel is doing that it should not be allowed
> >> to find out.
> >>
> >> I tried to trace through where "info" and thus presumably "info->fix" is
> >> coming from and only made it as far as register_framebuffer. Given
> >> that I suspect a local memset, and then a field by field copy right
> >> before copy_to_user might be a sound solution. But ick. That is a lot
> >> of fields to copy.
> >
> > I know it might sound quite inefficient, but what about making struct
> > fb_fix_screeninfo __packed?
> >
> > This doesn't solve other potential similar issues, but for this
> > particular case it could be a reasonable and simple fix.
>
> It is part of the user space ABI. As such you can't move the fields.
>
> Eric
Oh, that's right! Then memset() + memcpy() is probably the best option,
since copying all those fields one by one looks quite ugly to me...
-Andrea
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-30 20:12 ` Andrea Righi
2019-10-30 20:12 ` Andrea Righi
@ 2019-10-31 18:16 ` Joe Perches
2019-10-31 18:16 ` Joe Perches
2019-10-31 22:12 ` Eric W. Biederman
1 sibling, 2 replies; 21+ messages in thread
From: Joe Perches @ 2019-10-31 18:16 UTC (permalink / raw)
To: Andrea Righi, Eric W. Biederman
Cc: Dan Carpenter, Bartlomiej Zolnierkiewicz, Daniel Vetter,
Sam Ravnborg, Maarten Lankhorst, Peter Rosin, Gerd Hoffmann,
dri-devel, linux-fbdev, linux-kernel, kernel-janitors, security,
Kees Cook, Julia Lawall
On Wed, 2019-10-30 at 21:12 +0100, Andrea Righi wrote:
> Then memset() + memcpy() is probably the best option,
> since copying all those fields one by one looks quite ugly to me...
A memset of an automatic before a memcpy to the same
automatic is unnecessary.
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-31 18:16 ` Joe Perches
@ 2019-10-31 18:16 ` Joe Perches
2019-10-31 22:12 ` Eric W. Biederman
1 sibling, 0 replies; 21+ messages in thread
From: Joe Perches @ 2019-10-31 18:16 UTC (permalink / raw)
To: Andrea Righi, Eric W. Biederman
Cc: linux-fbdev, security, Kees Cook, Bartlomiej Zolnierkiewicz,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Gerd Hoffmann, Sam Ravnborg, Peter Rosin,
Dan Carpenter
On Wed, 2019-10-30 at 21:12 +0100, Andrea Righi wrote:
> Then memset() + memcpy() is probably the best option,
> since copying all those fields one by one looks quite ugly to me...
A memset of an automatic before a memcpy to the same
automatic is unnecessary.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-31 18:16 ` Joe Perches
2019-10-31 18:16 ` Joe Perches
@ 2019-10-31 22:12 ` Eric W. Biederman
2019-10-31 22:12 ` Eric W. Biederman
1 sibling, 1 reply; 21+ messages in thread
From: Eric W. Biederman @ 2019-10-31 22:12 UTC (permalink / raw)
To: Joe Perches
Cc: Andrea Righi, Dan Carpenter, Bartlomiej Zolnierkiewicz,
Daniel Vetter, Sam Ravnborg, Maarten Lankhorst, Peter Rosin,
Gerd Hoffmann, dri-devel, linux-fbdev, linux-kernel,
kernel-janitors, security, Kees Cook, Julia Lawall
Joe Perches <joe@perches.com> writes:
> On Wed, 2019-10-30 at 21:12 +0100, Andrea Righi wrote:
>> Then memset() + memcpy() is probably the best option,
>> since copying all those fields one by one looks quite ugly to me...
>
> A memset of an automatic before a memcpy to the same
> automatic is unnecessary.
You still need to guarantee that all of the holes in the
structure you are copying are initialized before you copy it.
Otherwise you are just changing which unitialized memory that
is being copied to userspace.
Which is my concern with your very simple suggestion.
Eric
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-31 22:12 ` Eric W. Biederman
@ 2019-10-31 22:12 ` Eric W. Biederman
0 siblings, 0 replies; 21+ messages in thread
From: Eric W. Biederman @ 2019-10-31 22:12 UTC (permalink / raw)
To: Joe Perches
Cc: linux-fbdev, security, Kees Cook, Julia Lawall,
Bartlomiej Zolnierkiewicz, kernel-janitors, Daniel Vetter,
linux-kernel, dri-devel, Andrea Righi, Gerd Hoffmann,
Sam Ravnborg, Peter Rosin, Dan Carpenter
Joe Perches <joe@perches.com> writes:
> On Wed, 2019-10-30 at 21:12 +0100, Andrea Righi wrote:
>> Then memset() + memcpy() is probably the best option,
>> since copying all those fields one by one looks quite ugly to me...
>
> A memset of an automatic before a memcpy to the same
> automatic is unnecessary.
You still need to guarantee that all of the holes in the
structure you are copying are initialized before you copy it.
Otherwise you are just changing which unitialized memory that
is being copied to userspace.
Which is my concern with your very simple suggestion.
Eric
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2019-10-29 19:02 ` Eric W. Biederman
2019-10-29 19:02 ` Eric W. Biederman
2019-10-30 7:43 ` Andrea Righi
@ 2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2020-01-13 11:08 ` [PATCH v2] " Dan Carpenter
2020-01-13 12:49 ` [PATCH] " Arnd Bergmann
2 siblings, 2 replies; 21+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2020-01-03 13:07 UTC (permalink / raw)
To: Eric W. Biederman, Joe Perches
Cc: linux-fbdev, security, Kees Cook, kernel-janitors, Daniel Vetter,
linux-kernel, dri-devel, Julia Lawall, Gerd Hoffmann,
Sam Ravnborg, Peter Rosin, Dan Carpenter, Andrea Righi
On 10/29/19 8:02 PM, Eric W. Biederman wrote:
> Dan Carpenter <dan.carpenter@oracle.com> writes:
>
>> The "fix" struct has a 2 byte hole after ->ywrapstep and the
>> "fix = info->fix;" assignment doesn't necessarily clear it. It depends
>> on the compiler.
>>
>> Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> ---
>> I have 13 more similar places to patch... I'm not totally sure I
>> understand all the issues involved.
>
> What I have done in a similar situation with struct siginfo, is that
> where the structure first appears I have initialized it with memset,
> and then field by field.
>
> Then when the structure is copied I copy the structure with memcpy.
>
> That ensures all of the bytes in the original structure are initialized
> and that all of the bytes are copied.
>
> The goal is to avoid memory that has values of the previous users of
> that memory region from leaking to userspace. Which depending on who
> the previous user of that memory region is could tell userspace
> information about what the kernel is doing that it should not be allowed
> to find out.
>
> I tried to trace through where "info" and thus presumably "info->fix" is
> coming from and only made it as far as register_framebuffer. Given
"info" (and thus "info->fix") comes from framebuffer_alloc() (which is
called by fbdev device drivers prior to registering "info" with
register_framebuffer()). framebuffer_alloc() does kzalloc() on "info".
Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough?
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
> that I suspect a local memset, and then a field by field copy right
> before copy_to_user might be a sound solution. But ick. That is a lot
> of fields to copy.
>
>
> Eric
>
>
>
>> drivers/video/fbdev/core/fbmem.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
>> index 6f6fc785b545..b4ce6a28aed9 100644
>> --- a/drivers/video/fbdev/core/fbmem.c
>> +++ b/drivers/video/fbdev/core/fbmem.c
>> @@ -1109,6 +1109,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
>> ret = -EFAULT;
>> break;
>> case FBIOGET_FSCREENINFO:
>> + memset(&fix, 0, sizeof(fix));
>> lock_fb_info(info);
>> fix = info->fix;
>> if (info->flags & FBINFO_HIDE_SMEM_START)
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* [PATCH v2] fbdev: potential information leak in do_fb_ioctl()
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
@ 2020-01-13 11:08 ` Dan Carpenter
2020-01-15 14:31 ` Bartlomiej Zolnierkiewicz
2020-01-13 12:49 ` [PATCH] " Arnd Bergmann
1 sibling, 1 reply; 21+ messages in thread
From: Dan Carpenter @ 2020-01-13 11:08 UTC (permalink / raw)
To: Bartlomiej Zolnierkiewicz
Cc: Daniel Thompson, Gerd Hoffmann, Arnd Bergmann, Jani Nikula,
Daniel Vetter, linux-fbdev, dri-devel, linux-kernel,
kernel-janitors, Eric W. Biederman, Andrew Morton, Sam Ravnborg,
Peter Rosin, Andrea Righi
The "fix" struct has a 2 byte hole after ->ywrapstep and the
"fix = info->fix;" assignment doesn't necessarily clear it. It depends
on the compiler. The solution is just to replace the assignment with an
memcpy().
Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Use memcpy()
drivers/video/fbdev/core/fbmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
index d04554959ea7..bb8d8dbc0461 100644
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -1115,7 +1115,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
break;
case FBIOGET_FSCREENINFO:
lock_fb_info(info);
- fix = info->fix;
+ memcpy(&fix, &info->fix, sizeof(fix));
if (info->flags & FBINFO_HIDE_SMEM_START)
fix.smem_start = 0;
unlock_fb_info(info);
--
2.11.0
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 21+ messages in thread* Re: [PATCH v2] fbdev: potential information leak in do_fb_ioctl()
2020-01-13 11:08 ` [PATCH v2] " Dan Carpenter
@ 2020-01-15 14:31 ` Bartlomiej Zolnierkiewicz
0 siblings, 0 replies; 21+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2020-01-15 14:31 UTC (permalink / raw)
To: Dan Carpenter
Cc: Daniel Thompson, Gerd Hoffmann, Arnd Bergmann, Jani Nikula,
Daniel Vetter, linux-fbdev, dri-devel, linux-kernel,
kernel-janitors, Eric W. Biederman, Andrew Morton, Sam Ravnborg,
Peter Rosin, Andrea Righi
On 1/13/20 12:08 PM, Dan Carpenter wrote:
> The "fix" struct has a 2 byte hole after ->ywrapstep and the
> "fix = info->fix;" assignment doesn't necessarily clear it. It depends
> on the compiler. The solution is just to replace the assignment with an
> memcpy().
>
> Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Patch queued for v5.6, thanks.
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
> ---
> v2: Use memcpy()
>
> drivers/video/fbdev/core/fbmem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
> index d04554959ea7..bb8d8dbc0461 100644
> --- a/drivers/video/fbdev/core/fbmem.c
> +++ b/drivers/video/fbdev/core/fbmem.c
> @@ -1115,7 +1115,7 @@ static long do_fb_ioctl(struct fb_info *info, unsigned int cmd,
> break;
> case FBIOGET_FSCREENINFO:
> lock_fb_info(info);
> - fix = info->fix;
> + memcpy(&fix, &info->fix, sizeof(fix));
> if (info->flags & FBINFO_HIDE_SMEM_START)
> fix.smem_start = 0;
> unlock_fb_info(info);
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2020-01-13 11:08 ` [PATCH v2] " Dan Carpenter
@ 2020-01-13 12:49 ` Arnd Bergmann
2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
1 sibling, 1 reply; 21+ messages in thread
From: Arnd Bergmann @ 2020-01-13 12:49 UTC (permalink / raw)
To: Bartlomiej Zolnierkiewicz
Cc: Linux Fbdev development list, security, Gerd Hoffmann, Kees Cook,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Eric W. Biederman, Joe Perches, Sam Ravnborg,
Peter Rosin, Dan Carpenter, Andrea Righi
On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz
<b.zolnierkie@samsung.com> wrote:
> On 10/29/19 8:02 PM, Eric W. Biederman wrote:
> >
> > The goal is to avoid memory that has values of the previous users of
> > that memory region from leaking to userspace. Which depending on who
> > the previous user of that memory region is could tell userspace
> > information about what the kernel is doing that it should not be allowed
> > to find out.
> >
> > I tried to trace through where "info" and thus presumably "info->fix" is
> > coming from and only made it as far as register_framebuffer. Given
>
> "info" (and thus "info->fix") comes from framebuffer_alloc() (which is
> called by fbdev device drivers prior to registering "info" with
> register_framebuffer()). framebuffer_alloc() does kzalloc() on "info".
>
> Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough?
Is it guaranteed that all drivers call framebuffer_alloc() rather than
open-coding it somewhere?
Here is a list of all files that call register_framebuffer() without first
calling framebuffer_alloc:
$ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc
Documentation/fb/framebuffer.rst
drivers/media/pci/ivtv/ivtvfb.c
drivers/media/platform/vivid/vivid-osd.c
drivers/video/fbdev/68328fb.c
drivers/video/fbdev/acornfb.c
drivers/video/fbdev/amba-clcd.c
drivers/video/fbdev/atafb.c
drivers/video/fbdev/au1100fb.c
drivers/video/fbdev/controlfb.c
drivers/video/fbdev/core/fbmem.c
drivers/video/fbdev/cyber2000fb.c
drivers/video/fbdev/fsl-diu-fb.c
drivers/video/fbdev/g364fb.c
drivers/video/fbdev/goldfishfb.c
drivers/video/fbdev/hpfb.c
drivers/video/fbdev/macfb.c
drivers/video/fbdev/matrox/matroxfb_base.c
drivers/video/fbdev/matrox/matroxfb_crtc2.c
drivers/video/fbdev/maxinefb.c
drivers/video/fbdev/ocfb.c
drivers/video/fbdev/pxafb.c
drivers/video/fbdev/sa1100fb.c
drivers/video/fbdev/stifb.c
drivers/video/fbdev/valkyriefb.c
drivers/video/fbdev/vermilion/vermilion.c
drivers/video/fbdev/vt8500lcdfb.c
drivers/video/fbdev/wm8505fb.c
drivers/video/fbdev/xilinxfb.c
It's possible (even likely, the ones I looked at are fine) that they
all correctly
zero out the fb_info structure first, but it seems hard to guarantee, so
Eric's suggestion would possibly still be the safer choice.
Arnd
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2020-01-13 12:49 ` [PATCH] " Arnd Bergmann
@ 2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
2020-01-15 13:16 ` Arnd Bergmann
0 siblings, 1 reply; 21+ messages in thread
From: Bartlomiej Zolnierkiewicz @ 2020-01-15 13:09 UTC (permalink / raw)
To: Arnd Bergmann
Cc: Linux Fbdev development list, security, Gerd Hoffmann, Kees Cook,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Eric W. Biederman, Joe Perches, Sam Ravnborg,
Peter Rosin, Dan Carpenter, Andrea Righi
On 1/13/20 1:49 PM, Arnd Bergmann wrote:
> On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz
> <b.zolnierkie@samsung.com> wrote:
>> On 10/29/19 8:02 PM, Eric W. Biederman wrote:
>>>
>>> The goal is to avoid memory that has values of the previous users of
>>> that memory region from leaking to userspace. Which depending on who
>>> the previous user of that memory region is could tell userspace
>>> information about what the kernel is doing that it should not be allowed
>>> to find out.
>>>
>>> I tried to trace through where "info" and thus presumably "info->fix" is
>>> coming from and only made it as far as register_framebuffer. Given
>>
>> "info" (and thus "info->fix") comes from framebuffer_alloc() (which is
>> called by fbdev device drivers prior to registering "info" with
>> register_framebuffer()). framebuffer_alloc() does kzalloc() on "info".
>>
>> Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough?
>
> Is it guaranteed that all drivers call framebuffer_alloc() rather than
> open-coding it somewhere?
>
> Here is a list of all files that call register_framebuffer() without first
> calling framebuffer_alloc:
>
> $ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc
> Documentation/fb/framebuffer.rst
> drivers/media/pci/ivtv/ivtvfb.c
> drivers/media/platform/vivid/vivid-osd.c
> drivers/video/fbdev/68328fb.c
> drivers/video/fbdev/acornfb.c
> drivers/video/fbdev/amba-clcd.c
> drivers/video/fbdev/atafb.c
> drivers/video/fbdev/au1100fb.c
> drivers/video/fbdev/controlfb.c
> drivers/video/fbdev/core/fbmem.c
> drivers/video/fbdev/cyber2000fb.c
> drivers/video/fbdev/fsl-diu-fb.c
> drivers/video/fbdev/g364fb.c
> drivers/video/fbdev/goldfishfb.c
> drivers/video/fbdev/hpfb.c
> drivers/video/fbdev/macfb.c
> drivers/video/fbdev/matrox/matroxfb_base.c
> drivers/video/fbdev/matrox/matroxfb_crtc2.c
> drivers/video/fbdev/maxinefb.c
> drivers/video/fbdev/ocfb.c
> drivers/video/fbdev/pxafb.c
> drivers/video/fbdev/sa1100fb.c
> drivers/video/fbdev/stifb.c
> drivers/video/fbdev/valkyriefb.c
> drivers/video/fbdev/vermilion/vermilion.c
> drivers/video/fbdev/vt8500lcdfb.c
> drivers/video/fbdev/wm8505fb.c
> drivers/video/fbdev/xilinxfb.c
>
> It's possible (even likely, the ones I looked at are fine) that they
> all correctly
> zero out the fb_info structure first, but it seems hard to guarantee, so
> Eric's suggestion would possibly still be the safer choice.
I've audited all above instances and they are all fine. They either
use the fb_info structure embedded in a driver specific structure
(which is zeroed out) or (in case of some m68k specific drivers) use
a static fb_info instance.
Since fbdev is closed for new drivers it should be now fine to use
the simpler approach (just use memcpy()).
Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
@ 2020-01-15 13:16 ` Arnd Bergmann
0 siblings, 0 replies; 21+ messages in thread
From: Arnd Bergmann @ 2020-01-15 13:16 UTC (permalink / raw)
To: Bartlomiej Zolnierkiewicz
Cc: Linux Fbdev development list, security, Gerd Hoffmann, Kees Cook,
kernel-janitors, Daniel Vetter, linux-kernel, dri-devel,
Julia Lawall, Eric W. Biederman, Joe Perches, Sam Ravnborg,
Peter Rosin, Dan Carpenter, Andrea Righi
On Wed, Jan 15, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz
<b.zolnierkie@samsung.com> wrote:
> > $ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc
> > Documentation/fb/framebuffer.rst
> > drivers/media/pci/ivtv/ivtvfb.c
> > drivers/media/platform/vivid/vivid-osd.c
> > drivers/video/fbdev/68328fb.c
> > drivers/video/fbdev/acornfb.c
> > drivers/video/fbdev/amba-clcd.c
> > drivers/video/fbdev/atafb.c
> > drivers/video/fbdev/au1100fb.c
> > drivers/video/fbdev/controlfb.c
> > drivers/video/fbdev/core/fbmem.c
> > drivers/video/fbdev/cyber2000fb.c
> > drivers/video/fbdev/fsl-diu-fb.c
> > drivers/video/fbdev/g364fb.c
> > drivers/video/fbdev/goldfishfb.c
> > drivers/video/fbdev/hpfb.c
> > drivers/video/fbdev/macfb.c
> > drivers/video/fbdev/matrox/matroxfb_base.c
> > drivers/video/fbdev/matrox/matroxfb_crtc2.c
> > drivers/video/fbdev/maxinefb.c
> > drivers/video/fbdev/ocfb.c
> > drivers/video/fbdev/pxafb.c
> > drivers/video/fbdev/sa1100fb.c
> > drivers/video/fbdev/stifb.c
> > drivers/video/fbdev/valkyriefb.c
> > drivers/video/fbdev/vermilion/vermilion.c
> > drivers/video/fbdev/vt8500lcdfb.c
> > drivers/video/fbdev/wm8505fb.c
> > drivers/video/fbdev/xilinxfb.c
> >
> > It's possible (even likely, the ones I looked at are fine) that they
> > all correctly
> > zero out the fb_info structure first, but it seems hard to guarantee, so
> > Eric's suggestion would possibly still be the safer choice.
>
> I've audited all above instances and they are all fine. They either
> use the fb_info structure embedded in a driver specific structure
> (which is zeroed out) or (in case of some m68k specific drivers) use
> a static fb_info instance.
>
> Since fbdev is closed for new drivers it should be now fine to use
> the simpler approach (just use memcpy()).
Yes, let's do that then. The complex approach seems more likely
to introduce a bug than one of the existing drivers to stop initializing
the structure correctly.
Arnd
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 21+ messages in thread