Received: by 10.192.165.148 with SMTP id m20csp916977imm; Fri, 27 Apr 2018 09:31:44 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqQXywT6LZCegNngkYK+0nnEqPbggiA1ckrgxLaqU5dqc+2uLgreejtxUsqRD6rR3OI2pQ/ X-Received: by 10.98.181.9 with SMTP id y9mr2785241pfe.121.1524846704817; Fri, 27 Apr 2018 09:31:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524846704; cv=none; d=google.com; s=arc-20160816; b=duJlvlKE75olSi3vtdEw6nzvQDF2k3yetddUfizjm5wZA/3q3j3iFZ7dPhMrJgay1z 7OWvOgeC4gCHvrlqeu4odVH2QLCzPwFVbNkzke8xxwO7yTBPbLoNBAzRfn++8Jq6uNG8 MlKOvPlVaVoKX1HQsTAM2KLMoEtuQyfi1Azm91xubJt9WCsGvsTQnyDZE9QKnykp07ki IZQ3WVf4yTnVWAvGKfpgwq/V34KwBvDvdHl/e3mBkaG2AZdPxQZPthpeIRN0csAH0efy G3CnL1iVFuK1k4Eeg00xfsKSmbTb1cidSytHnLekGzs/hxIcEtK76BTD2oaXDiGzaSKK 6HoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=/8lea4uV60MP47O5XrC/X6zE6G0nLhtKKO+Fzhf2rro=; b=t6zdZMHP7OQE0Ra6GiXVHun0tEjVPC6OJpMREumAbtPIodW2CsGlAmYcNpI4q7w4fd Fsl9Vp9ng05el56kJDiUFvGAxtbsobVqkiJychAKWF5aBZ4oiCZC9ez+dUbtRyAWRPwN ej+y+nAn+0zdNdJHT8pP9147FXXVMPx1MzzvQk6NLkRkmWU+MIbUBaCkuz8xtNRy2sBC jRA//qr40HotTvsCNoi63akKOhisNGUTHqJcsVCpXSM6qq0CHzvZUvydncgYHLfyBF2r 08qswGbf+zG81b+2xZQzBtsL65zM5V01LrTEl2MTcILL9FrYwVfZt6woYV5EqWfFUGgt KtLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fzA01KFs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si1504078plr.440.2018.04.27.09.31.30; Fri, 27 Apr 2018 09:31:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fzA01KFs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758785AbeD0Q3o (ORCPT + 99 others); Fri, 27 Apr 2018 12:29:44 -0400 Received: from mail-pg0-f66.google.com ([74.125.83.66]:33637 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758550AbeD0Q3m (ORCPT ); Fri, 27 Apr 2018 12:29:42 -0400 Received: by mail-pg0-f66.google.com with SMTP id i194-v6so1951762pgd.0 for ; Fri, 27 Apr 2018 09:29:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/8lea4uV60MP47O5XrC/X6zE6G0nLhtKKO+Fzhf2rro=; b=fzA01KFs80PrLa1CFhidomjYsVQgm92LtwfQ911p6B0xqdXrdkaxc/CyV7pcQoNszE DFMBgzz9/7gDCu8WI9eJWdsFVNJ8LNllrbWKWVJiF1LC59IAkY5WJ+l4NMPRrdd+s/WU X0tlrNB47bqBvXQe8ziTyO+NwdZBqdavpCzdIX0c1sJFrkxxxNJVlTEakOco3bLTTcF6 mBziLuHwiRHtxEi68XwDTSmkrJGP7ajbWIpDkDoXz4yW9ctLiv2f5BELsWYf0GV+ax4N 2c7XQQJrwVfGKzrVgcdPk6oPW7Q2dtpsaA2Z659wEB9Q5qo+pESYaokClRofBNHxEf6K BhFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/8lea4uV60MP47O5XrC/X6zE6G0nLhtKKO+Fzhf2rro=; b=cXQax56KUdiR5BuqauPFyGwQMHlm2CnRQYZx52b40ulF0ioCGZcv5aCPx/A3qI312h A0bZef9rGhVKgPOdEkH5WMCUXVBjfI67Wud2YP3NtKXYMAv/Ek3J0ex6xIQ5UtqJoGer MdXvCU+k3w8J4e4ax6BwxWIEAY8stlgaXInAyVGQQ+kfeUnJNg5gTVT2vS6pZKYPM5hM TAiaPWJhQZSagtbsKFyYEAgADb7XVT2YW3Cvepz9JVi5JJQnfPqq0p30Ad78CJj10MId 7555pw7Kg96yOAGOuujp/oQCUH4WH0mN8cc0vUKbwoRvSfVRtkw9gAYZgH0jiBUBp9Md iZhg== X-Gm-Message-State: ALQs6tCg0rmbDqmB0DUfxs0mmbybGLVO17+PdP1Y3W1y2I5i97diiAH4 cLMyeiOub2GZKwdv/aGROm3TyWYMdRMyaJTFBtNxkg== X-Received: by 2002:a63:8dc1:: with SMTP id z184-v6mr2700229pgd.114.1524846581785; Fri, 27 Apr 2018 09:29:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.147.130 with HTTP; Fri, 27 Apr 2018 09:29:20 -0700 (PDT) In-Reply-To: References: <000000000000a5b2b1056a86e98c@google.com> <20180427154502.GA22544@la.guarana.org> <20180427185501-mutt-send-email-mst@kernel.org> <20180427191430-mutt-send-email-mst@kernel.org> From: Dmitry Vyukov Date: Fri, 27 Apr 2018 18:29:20 +0200 Message-ID: Subject: Re: [PATCH net] vhost: Use kzalloc() to allocate vhost_msg_node To: "Michael S. Tsirkin" Cc: Kevin Easton , Jason Wang , KVM list , virtualization@lists.linux-foundation.org, netdev , LKML , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 27, 2018 at 6:25 PM, Dmitry Vyukov wrote: >>> >> The struct vhost_msg within struct vhost_msg_node is copied to userspace, >>> >> so it should be allocated with kzalloc() to ensure all structure padding >>> >> is zeroed. >>> >> >>> >> Signed-off-by: Kevin Easton >>> >> Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com >>> > >>> > Does it help if a patch naming the padding is applied, >>> > and then we init just the relevant field? >>> > Just curious. >>> >>> Yes, it would help. >> >> I think it's slightly better that way then. node has a lot of internal >> stuff we don't care to init. Would you mind taking my patch and building >> on top of that then? > > > But it's asking for more information leaks in future. This looks like > work for compiler. Modern compilers are perfectly capable of doing this: #include #include int main() { int x[10]; memset(&x, 0, sizeof(x)); x[0] = 0; x[2] = 2; x[3] = 3; x[4] = 4; x[5] = 5; x[6] = 6; x[7] = 7; x[8] = 8; x[9] = 9; write(0, x, sizeof(x)); return 0; } gcc 7.2 -O3 0000000000000540
: 540: sub $0x38,%rsp 544: mov $0x28,%edx 549: xor %edi,%edi 54b: movdqa 0x1cd(%rip),%xmm0 # 720 <_IO_stdin_used+0x10> 553: mov %rsp,%rsi 556: movq $0x0,(%rsp) 55e: movups %xmm0,0x8(%rsp) 563: movdqa 0x1c5(%rip),%xmm0 # 730 <_IO_stdin_used+0x20> 56b: movups %xmm0,0x18(%rsp) 570: callq 520 575: xor %eax,%eax 577: add $0x38,%rsp 57b: retq 57c: nopl 0x0(%rax) But they will not put a security hole next time fields are shuffled. >>> >> --- >>> >> drivers/vhost/vhost.c | 2 +- >>> >> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >> >>> >> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c >>> >> index f3bd8e9..1b84dcff 100644 >>> >> --- a/drivers/vhost/vhost.c >>> >> +++ b/drivers/vhost/vhost.c >>> >> @@ -2339,7 +2339,7 @@ EXPORT_SYMBOL_GPL(vhost_disable_notify); >>> >> /* Create a new message. */ >>> >> struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) >>> >> { >>> >> - struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); >>> >> + struct vhost_msg_node *node = kzalloc(sizeof *node, GFP_KERNEL); >>> >> if (!node) >>> >> return NULL; >>> >> node->vq = vq; >>> >> -- >>> >> 2.8.1