From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 756ADC433E8 for ; Sun, 26 Jul 2020 22:08:39 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 45F1A2073E for ; Sun, 26 Jul 2020 22:08:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="PSBrJrva" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 45F1A2073E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ideasonboard.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-kernel-mentees-bounces@lists.linuxfoundation.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id F1FC32202E; Sun, 26 Jul 2020 22:08:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YhREAFrSCXYj; Sun, 26 Jul 2020 22:08:38 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id F05C520414; Sun, 26 Jul 2020 22:08:37 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E9A65C004F; Sun, 26 Jul 2020 22:08:37 +0000 (UTC) Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id E7925C004D for ; Sun, 26 Jul 2020 22:08:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id E34AB8808D for ; Sun, 26 Jul 2020 22:08:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3MoJXC1nqFc for ; Sun, 26 Jul 2020 22:08:35 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by hemlock.osuosl.org (Postfix) with ESMTPS id 9142888081 for ; Sun, 26 Jul 2020 22:08:35 +0000 (UTC) Received: from pendragon.ideasonboard.com (81-175-216-236.bb.dnainternet.fi [81.175.216.236]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 60DE151D; Mon, 27 Jul 2020 00:08:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1595801311; bh=KUaPOkg636bLdNE8/asczb6N8L2ExnhjaO2k2jCo0LQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PSBrJrvay92ecq4JbixGxKIabJQmc4pZJaNk3A/wXXfD3Ekkbfpt7ZT6g2Y8a0057 /CfKIjl0AnCKZ3jw5eSwIWM8oliHSnhewGDEZy0sr4Mjz/s6eIajbulW7/E0mI5ee2 /cvTxgegR9ug5m2pbBZkLTCjthrHkLQewsX4SGnw= Date: Mon, 27 Jul 2020 01:08:23 +0300 From: Laurent Pinchart To: Peilin Ye Message-ID: <20200726220823.GI28704@pendragon.ideasonboard.com> References: <20200726164439.48973-1-yepeilin.cs@gmail.com> <20200726173044.GA14755@pendragon.ideasonboard.com> <20200726180752.GA49356@PWN> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200726180752.GA49356@PWN> Cc: Niklas =?utf-8?Q?S=C3=B6derlund?= , Arnd Bergmann , syzkaller-bugs@googlegroups.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Sakari Ailus , Vandana BN , Hans Verkuil , Mauro Carvalho Chehab , Ezequiel Garcia , linux-kernel-mentees@lists.linuxfoundation.org Subject: Re: [Linux-kernel-mentees] [PATCH] media/v4l2-core: Fix kernel-infoleak in video_put_user() X-BeenThere: linux-kernel-mentees@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-kernel-mentees-bounces@lists.linuxfoundation.org Sender: "Linux-kernel-mentees" Hi Peilin, On Sun, Jul 26, 2020 at 02:07:52PM -0400, Peilin Ye wrote: > On Sun, Jul 26, 2020 at 08:30:44PM +0300, Laurent Pinchart wrote: > > Hi Peilin, > > > > Thank you for the patch. > > > > On Sun, Jul 26, 2020 at 12:44:39PM -0400, Peilin Ye wrote: > > > video_put_user() is copying uninitialized stack memory to userspace. Fix > > > it by initializing `vb32` using memset(). > > > > What makes you think this will fix the issue ? When initializing a > > structure at declaration time, the fields that are not explicitly > > specified should be initialized to 0 by the compiler. See > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.cbclx01/strin.htm: > > Hi Mr. Pinchart! > > First of all, syzbot tested this patch, and it says it's "OK": > > https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59 > > > If a structure variable is partially initialized, all the uninitialized > > structure members are implicitly initialized to zero no matter what the > > storage class of the structure variable is. See the following example: > > > > struct one { > > int a; > > int b; > > int c; > > }; > > > > void main() { > > struct one z1; // Members in z1 do not have default initial values. > > static struct one z2; // z2.a=0, z2.b=0, and z2.c=0. > > struct one z3 = {1}; // z3.a=1, z3.b=0, and z3.c=0. > > } > > Yes, I understand that. I can safely printk() all members of that struct > without triggering a KMSAN warning, which means they have been properly > initialized. > > However, if I do something like: > > char *p = (char *)&vb32; > int i; > > for (i = 0; i < sizeof(struct vb32); i++, p++) > printk("*(p + i): %d", *(p + i)); > > This tries to print out `vb32` as "raw memory" one byte at a time, and > triggers a KMSAN warning somewhere in the middle (when `i` equals to 25 > or 26). > > According to a previous discussion with Mr. Kroah-Hartman, as well as > this LWN article: > > "Structure holes and information leaks" > https://lwn.net/Articles/417989/ > > Initializing a struct by assigning (both partially or fully) leaves the > "padding" part of it uninitialized, thus potentially leads to kernel > information leak if the structure in question is going to be copied to > userspace. > > memset() sets these "uninitialized paddings" to zero, therefore (I > think) should solve the problem. You're absolutely right. I wasn't aware the compiler wouldn't initialize holes in the structure. Thank you for educating me :-) For the patch, Reviewed-by: Laurent Pinchart -- Regards, Laurent Pinchart _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees