Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1758855AbeAIPVA (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Tue, 9 Jan 2018 10:21:00 -0500
Received: from mx2.suse.de ([195.135.220.15]:35572 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1758673AbeAIPU6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Jan 2018 10:20:58 -0500
From: Johannes Thumshirn <jthumshirn@suse.de>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>,
        Keith Busch <keith.busch@intel.com>,
        Linux Kernel Mailinglist <linux-kernel@vger.kernel.org>,
        Linux NVMe Mailinglist <linux-nvme@lists.infradead.org>,
        Alexander Potapenko <glider@google.com>,
        Johannes Thumshirn <jthumshirn@suse.de>
Subject: [PATCH] nvme: initialize hostid uuid in nvmf_host_default to not leak kernel memory
Date: Tue,  9 Jan 2018 16:20:43 +0100
Message-Id: <20180109152043.30422-1-jthumshirn@suse.de>
X-Mailer: git-send-email 2.13.6
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

Alexander reports:
  according to KMSAN (and common sense as well) the following code in
  drivers/nvme/host/fabrics.c
  (http://elixir.free-electrons.com/linux/latest/source/drivers/nvme/host/fabrics.c#L68):

    72         host = kmalloc(sizeof(*host), GFP_KERNEL);
    73         if (!host)
    74                 return NULL;
    75
    76         kref_init(&host->ref);
    77         snprintf(host->nqn, NVMF_NQN_SIZE,
    78                 "nqn.2014-08.org.nvmexpress:uuid:%pUb", &host->id);

  uses uninitialized heap memory to generate the unique id for the NVMF host.
  If I'm understanding correctly, it can be then passed to the
  userspace, so the contents of the uninitialized chunk may potentially
  leak.
  If the specification doesn't rely on this UID to be random or unique,
  I suggest using kzalloc() here, otherwise it might be a good idea to
  use a real RNG.

this assumption is correct so initialize the host->id using uuid_gen() as
it was done before commit 6bfe04255d5e ("nvme: add hostid token to fabric
options").

Fixes: 6bfe04255d5e ("nvme: add hostid token to fabric options")
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
---
 drivers/nvme/host/fabrics.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index 76b4fe6816a0..894c2ccb3891 100644
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -74,6 +74,7 @@ static struct nvmf_host *nvmf_host_default(void)
 		return NULL;
 
 	kref_init(&host->ref);
+	uuid_gen(&host->id);
 	snprintf(host->nqn, NVMF_NQN_SIZE,
 		"nqn.2014-08.org.nvmexpress:uuid:%pUb", &host->id);
 
-- 
2.13.6