From: ebiederm@xmission.com (Eric W. Biederman)
To: Andrea Righi <andrea.righi@canonical.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Sam Ravnborg <sam@ravnborg.org>,
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
Peter Rosin <peda@axentia.se>, Gerd Hoffmann <kraxel@redhat.com>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org,
security@kernel.org, Kees Cook <keescook@chromium.org>,
Julia Lawall <Julia.Lawall@lip6.fr>
Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
Date: Wed, 30 Oct 2019 14:26:21 -0500 [thread overview]
Message-ID: <87r22ujaqq.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20191030074321.GD2656@xps-13> (Andrea Righi's message of "Wed, 30 Oct 2019 08:43:21 +0100")
Andrea Righi <andrea.righi@canonical.com> writes:
> On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
>> Dan Carpenter <dan.carpenter@oracle.com> writes:
>>
>> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
>> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
>> > on the compiler.
>> >
>> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > ---
>> > I have 13 more similar places to patch... I'm not totally sure I
>> > understand all the issues involved.
>>
>> What I have done in a similar situation with struct siginfo, is that
>> where the structure first appears I have initialized it with memset,
>> and then field by field.
>>
>> Then when the structure is copied I copy the structure with memcpy.
>>
>> That ensures all of the bytes in the original structure are initialized
>> and that all of the bytes are copied.
>>
>> The goal is to avoid memory that has values of the previous users of
>> that memory region from leaking to userspace. Which depending on who
>> the previous user of that memory region is could tell userspace
>> information about what the kernel is doing that it should not be allowed
>> to find out.
>>
>> I tried to trace through where "info" and thus presumably "info->fix" is
>> coming from and only made it as far as register_framebuffer. Given
>> that I suspect a local memset, and then a field by field copy right
>> before copy_to_user might be a sound solution. But ick. That is a lot
>> of fields to copy.
>
> I know it might sound quite inefficient, but what about making struct
> fb_fix_screeninfo __packed?
>
> This doesn't solve other potential similar issues, but for this
> particular case it could be a reasonable and simple fix.
It is part of the user space ABI. As such you can't move the fields.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Andrea Righi <andrea.righi@canonical.com>
Cc: linux-fbdev@vger.kernel.org, security@kernel.org,
Kees Cook <keescook@chromium.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
kernel-janitors@vger.kernel.org,
Daniel Vetter <daniel.vetter@ffwll.ch>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
Julia Lawall <Julia.Lawall@lip6.fr>,
Gerd Hoffmann <kraxel@redhat.com>,
Sam Ravnborg <sam@ravnborg.org>, Peter Rosin <peda@axentia.se>,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl()
Date: Wed, 30 Oct 2019 14:26:21 -0500 [thread overview]
Message-ID: <87r22ujaqq.fsf@x220.int.ebiederm.org> (raw)
Message-ID: <20191030192621.GaBJp-D0AiMgs120sxikZkqxN8yp3L1xSkaewBNbGSY@z> (raw)
In-Reply-To: <20191030074321.GD2656@xps-13> (Andrea Righi's message of "Wed, 30 Oct 2019 08:43:21 +0100")
Andrea Righi <andrea.righi@canonical.com> writes:
> On Tue, Oct 29, 2019 at 02:02:11PM -0500, Eric W. Biederman wrote:
>> Dan Carpenter <dan.carpenter@oracle.com> writes:
>>
>> > The "fix" struct has a 2 byte hole after ->ywrapstep and the
>> > "fix = info->fix;" assignment doesn't necessarily clear it. It depends
>> > on the compiler.
>> >
>> > Fixes: 1f5e31d7e55a ("fbmem: don't call copy_from/to_user() with mutex held")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > ---
>> > I have 13 more similar places to patch... I'm not totally sure I
>> > understand all the issues involved.
>>
>> What I have done in a similar situation with struct siginfo, is that
>> where the structure first appears I have initialized it with memset,
>> and then field by field.
>>
>> Then when the structure is copied I copy the structure with memcpy.
>>
>> That ensures all of the bytes in the original structure are initialized
>> and that all of the bytes are copied.
>>
>> The goal is to avoid memory that has values of the previous users of
>> that memory region from leaking to userspace. Which depending on who
>> the previous user of that memory region is could tell userspace
>> information about what the kernel is doing that it should not be allowed
>> to find out.
>>
>> I tried to trace through where "info" and thus presumably "info->fix" is
>> coming from and only made it as far as register_framebuffer. Given
>> that I suspect a local memset, and then a field by field copy right
>> before copy_to_user might be a sound solution. But ick. That is a lot
>> of fields to copy.
>
> I know it might sound quite inefficient, but what about making struct
> fb_fix_screeninfo __packed?
>
> This doesn't solve other potential similar issues, but for this
> particular case it could be a reasonable and simple fix.
It is part of the user space ABI. As such you can't move the fields.
Eric
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2019-10-30 19:26 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-29 18:23 [PATCH] fbdev: potential information leak in do_fb_ioctl() Dan Carpenter
2019-10-29 18:35 ` Joe Perches
2019-10-29 18:35 ` Joe Perches
2019-10-29 19:02 ` Eric W. Biederman
2019-10-29 19:02 ` Eric W. Biederman
2019-10-30 7:43 ` Andrea Righi
2019-10-30 7:43 ` Andrea Righi
2019-10-30 19:26 ` Eric W. Biederman [this message]
2019-10-30 19:26 ` Eric W. Biederman
2019-10-30 20:12 ` Andrea Righi
2019-10-30 20:12 ` Andrea Righi
2019-10-31 18:16 ` Joe Perches
2019-10-31 18:16 ` Joe Perches
2019-10-31 22:12 ` Eric W. Biederman
2019-10-31 22:12 ` Eric W. Biederman
2020-01-03 13:07 ` Bartlomiej Zolnierkiewicz
2020-01-13 11:08 ` [PATCH v2] " Dan Carpenter
2020-01-15 14:31 ` Bartlomiej Zolnierkiewicz
2020-01-13 12:49 ` [PATCH] " Arnd Bergmann
2020-01-15 13:09 ` Bartlomiej Zolnierkiewicz
2020-01-15 13:16 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r22ujaqq.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=Julia.Lawall@lip6.fr \
--cc=andrea.righi@canonical.com \
--cc=b.zolnierkie@samsung.com \
--cc=dan.carpenter@oracle.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=keescook@chromium.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=kraxel@redhat.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=peda@axentia.se \
--cc=sam@ravnborg.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).