linux-kernel-mentees.lists.linuxfoundation.org archive mirror
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg@ziepe.ca>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: rds-devel@oss.oracle.com, Arnd Bergmann <arnd@arndb.de>,
	Leon Romanovsky <leon@kernel.org>,
	linux-rdma@vger.kernel.org, netdev@vger.kernel.org,
	Santosh Shilimkar <santosh.shilimkar@oracle.com>,
	linux-kernel@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	linux-kernel-mentees@lists.linuxfoundation.org,
	Peilin Ye <yepeilin.cs@gmail.com>,
	Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [Linux-kernel-mentees] [PATCH net] rds: Prevent kernel-infoleak in rds_notify_queue_get()
Date: Fri, 31 Jul 2020 11:36:04 -0300	[thread overview]
Message-ID: <20200731143604.GF24045@ziepe.ca> (raw)
In-Reply-To: <20200731142148.GA1718799@kroah.com>

On Fri, Jul 31, 2020 at 04:21:48PM +0200, Greg Kroah-Hartman wrote:

> > The spec was updated in C11 to require zero'ing padding when doing
> > partial initialization of aggregates (eg = {})
> > 
> > """if it is an aggregate, every member is initialized (recursively)
> > according to these rules, and any padding is initialized to zero
> > bits;"""
> 
> But then why does the compilers not do this?

Do you have an example?

> > Considering we have thousands of aggregate initializers it
> > seems likely to me Linux also requires a compiler with this C11
> > behavior to operate correctly.
> 
> Note that this is not an "operate correctly" thing, it is a "zero out
> stale data in structure paddings so that data will not leak to
> userspace" thing.

Yes, not being insecure is "operate correctly", IMHO :)
 
> > Does this patch actually fix anything? My compiler generates identical
> > assembly code in either case.
> 
> What compiler version?

I tried clang 10 and gcc 9.3 for x86-64.

#include <string.h>

void test(void *out)
{
	struct rds_rdma_notify {
		unsigned long user_token;
		unsigned int status;
	} foo = {};
	memcpy(out, &foo, sizeof(foo));
}

$ gcc -mno-sse2 -O2 -Wall -std=c99 t.c -S

test:
	endbr64
	movq	$0, (%rdi)
	movq	$0, 8(%rdi)
	ret

Just did this same test with gcc 4.4 and it also gave the same output..

Made it more complex with this:

	struct rds_rdma_notify {
		unsigned long user_token;
		unsigned char status;
		unsigned long user_token1;
		unsigned char status1;
		unsigned long user_token2;
		unsigned char status2;
		unsigned long user_token3;
		unsigned char status3;
		unsigned long user_token4;
		unsigned char status4;
	} foo;

And still got the same assembly vs memset on gcc 4.4.

I tried for a bit and didn't find a way to get even old gcc 4.4 to not
initialize the holes.

Jason
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

  reply	other threads:[~2020-07-31 14:36 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30 19:20 [Linux-kernel-mentees] [PATCH net] rds: Prevent kernel-infoleak in rds_notify_queue_get() Peilin Ye
2020-07-30 19:29 ` santosh.shilimkar
2020-07-31  4:53 ` Leon Romanovsky
2020-07-31  5:33   ` Greg Kroah-Hartman
2020-07-31  5:33     ` Greg Kroah-Hartman
2020-07-31  6:29       ` Andy Shevchenko
2020-07-31  7:00         ` Leon Romanovsky
2020-07-31  7:05           ` Andy Shevchenko
2020-07-31 14:04       ` Jason Gunthorpe
2020-07-31 14:21         ` Greg Kroah-Hartman
2020-07-31 14:36           ` Jason Gunthorpe [this message]
2020-07-31 17:19             ` Greg Kroah-Hartman
2020-07-31 18:27               ` Jason Gunthorpe
2020-08-01  8:00                 ` Dan Carpenter
2020-08-01 14:40                   ` Jason Gunthorpe
2020-08-03  9:34                     ` Dan Carpenter
2020-08-01  5:38               ` Leon Romanovsky
2020-08-02 22:10                 ` Jason Gunthorpe
2020-08-02 22:23                   ` Joe Perches
2020-08-02 22:28                     ` Jason Gunthorpe
2020-08-02 22:45                       ` Joe Perches
2020-08-03  4:58                         ` Leon Romanovsky
2020-08-03 23:06                         ` Jason Gunthorpe
2020-08-08 22:57                           ` Jack Leadford
2020-08-09  7:04                             ` Leon Romanovsky
2020-08-14 17:07                             ` Jason Gunthorpe
2020-07-31  6:31   ` Andy Shevchenko
2020-07-31  9:59   ` Dan Carpenter
2020-07-31 11:14     ` Håkon Bugge
2020-07-31 11:59       ` Greg Kroah-Hartman
2020-07-31 12:03         ` Håkon Bugge
2020-07-31 23:54 ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200731143604.GF24045@ziepe.ca \
    --to=jgg@ziepe.ca \
    --cc=arnd@arndb.de \
    --cc=dan.carpenter@oracle.com \
    --cc=davem@davemloft.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=kuba@kernel.org \
    --cc=leon@kernel.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=rds-devel@oss.oracle.com \
    --cc=santosh.shilimkar@oracle.com \
    --cc=yepeilin.cs@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).