Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp3387332ybn; Fri, 27 Sep 2019 05:44:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqyIl4spLBVctWJ1N9riahZJSXPHhNvHQ1RP14qW0ZuW0OeaLPIgBzO4AqGVNqu4pJi0nKB9 X-Received: by 2002:a50:9384:: with SMTP id o4mr4279193eda.8.1569588270043; Fri, 27 Sep 2019 05:44:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1569588270; cv=none; d=google.com; s=arc-20160816; b=zauBAtAHg7e24pfHsgf3XhCxvE+Wm32tHFpD5R8ryLH/SJXKujdDqR8EbxRoTtm9XU gZCUaYz/umY1De4XXsFvArXvCwio+DU68QxthDHihGc22SHQK+bAvB05Di9URPgmpIxI nKP7UmdJ5tyrYe71+3Cdc0DeHPCksvuNOE+RHFtp9NyaF0zuY6gZYm6QbUCKsnTpNp6A +zLfmPakApndAl8PTMwtFKDbEM9AkM8rJMHuxgfVFsqE+Fv91WJgsNQtp6M3YU3QPpX9 fQCvMHBsoLsOBT+cJQj+WoHk4/OFQF8R/+L67U0WTH0tgtSkC9uQ1/ZCdTQ8ZD2Clm0A x2Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=c+augSSgNJssXtFfz6W9A1hC0ETAojLriMrB6ZOTBGE=; b=brkyLDPpjzJkGxxEva7gDKtpeW3joNNyNphSS2Fk8kuXhiVJkwk9SGQaL7Yl/s5jG8 CqKzfcPORdtvJ9Nsz71ocP3wmuDXAbHGHMy5dhgy7rK133WnOkvRbWpV4lTO7C6QDg2t /46AvZtcyz2TsRspgKtF1fvAfIWKSNEbQ6yeU+kuTeCe552hTgQVpUAKWYXLbx3kq1OD n4gws02MUVO9Eb53q2yTp7TW27eNc107dmisVU86UKLya4npuyF1nNr19ZKr6X6rQx4s if9ZhpduPdnfITyCTrOF2URHe5YlhxnH/MtBdK/wl8aF2PYJAgITzdx7BZQyOu/YD0Iz hthg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b9si1430568eda.129.2019.09.27.05.44.05; Fri, 27 Sep 2019 05:44:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727355AbfI0Mnb (ORCPT + 99 others); Fri, 27 Sep 2019 08:43:31 -0400 Received: from mail-ot1-f67.google.com ([209.85.210.67]:42552 "EHLO mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726144AbfI0Mnb (ORCPT ); Fri, 27 Sep 2019 08:43:31 -0400 Received: by mail-ot1-f67.google.com with SMTP id c10so2083260otd.9 for ; Fri, 27 Sep 2019 05:43:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c+augSSgNJssXtFfz6W9A1hC0ETAojLriMrB6ZOTBGE=; b=Oe7XAC9IfvuMxcMJ+xk4hDokZTeK8PUSXyziwHCppZ/FVvj9WLYA2lmhYX1B/oVUYD fjSNBOr0HtD1eD79Ik2pv6LpKTYbenm5xXk0P7wFYrVXzJArXhUgPv4Ae9mNZZouBDOH AvmCtjGf1f0NAMWvMJBmGkfCaDx/ZhUErr5j+7iNdhWynTpPaK6FdNoPg3fbFqHF8UvK I5C9ghta/cZrJ0ioPytzab+EfouUeh6ehJmVQ9/PeYwIT0j4qqmzt6+p5H3dqM8Z6ATa ujVXqLd0i5tPR1GNMxOviDNwcdM78mPcYYgoHvi4stRFF59SPNmIwTxzhkJJKUoWB4vC PZpg== X-Gm-Message-State: APjAAAWsluDPvhYuWb/gxgI/EsHKEJkkYwoLt9C8+BcSUHFZ/eMD8tGq bZoZ9dlp8Op6WpdH6rlJ53A3YnR8owLkVnwIKS4= X-Received: by 2002:a9d:730d:: with SMTP id e13mr2095221otk.145.1569588210251; Fri, 27 Sep 2019 05:43:30 -0700 (PDT) MIME-Version: 1.0 References: <20190927121544.7650-1-huangfq.daxian@gmail.com> In-Reply-To: <20190927121544.7650-1-huangfq.daxian@gmail.com> From: Geert Uytterhoeven Date: Fri, 27 Sep 2019 14:43:19 +0200 Message-ID: Subject: Re: [PATCH] m68k: q40: Fix info-leak in rtc_ioctl To: Fuqian Huang Cc: linux-m68k , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Fuqian, On Fri, Sep 27, 2019 at 2:15 PM Fuqian Huang wrote: > When the option is RTC_PLL_GET, pll will be copied to userland > via copy_to_user. pll is initialized using mach_get_rtc_pll indirect > call and mach_get_rtc_pll is only assigned with function > q40_get_rtc_pll in arch/m68k/q40/config.c. > In function q40_get_rtc_pll, the field pll_ctrl is not initialized. > This will leak uninitialized stack content to userland. > Fix this by zeroing the uninitialized field. > > Signed-off-by: Fuqian Huang Thanks for your patch! > --- a/arch/m68k/q40/config.c > +++ b/arch/m68k/q40/config.c > @@ -264,6 +264,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll) > { > int tmp = Q40_RTC_CTRL; > > + pll->pll_ctrl = 0; > pll->pll_value = tmp & Q40_RTC_PLL_MASK; > if (tmp & Q40_RTC_PLL_SIGN) > pll->pll_value = -pll->pll_value; Nice catch! Reviewed-by: Geert Uytterhoeven i.e. will queue for v5.5. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds