Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp1510893ybg;
        Sat, 26 Oct 2019 22:49:25 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzzjDMdaQxQmnRmtYl1BtgqIaFi7sb0gISIL6Yvh6xuMbdC2YnTCdDYTrQXmRCQjsBVxN1Z
X-Received: by 2002:a17:906:d209:: with SMTP id w9mr11210099ejz.40.1572155365270;
        Sat, 26 Oct 2019 22:49:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572155365; cv=none;
        d=google.com; s=arc-20160816;
        b=xmc1W8x0mRwp385w9PbsHjtQE1vj7/BcoMfllzuefWVy7amd8uostLq0sCA9Y54Dvx
         tz1HTDzO48Uy4OlueV/bqJqaLJYHmQeriISOcY9dfcnf1ToZPOHMLJ5huumo5qGVERVE
         l2rrATaa1gxynn8Ajt5Kj6F+jjqbIv+No3/UVyu29wM1AmLdP7hHZjPsoUn6I19IoOX5
         NFAoTqhqWjZRyyH3RkgqsoKwhZ8YUISjEjf55TQAi3mqQ02/eU5rRatDzNFtwWD04lUb
         P1WvldtFhbl50BvrQt5+DDfl0ri0EjQo749DDCscszo7+FTgU+9En1BMm4hl4KGGGl1/
         Fh+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=Jp9IpWk93rDE4c0E+eNCbIGcRJ0JW9ER95XMQ/wRuQE=;
        b=MGq+Rn/URHnwBob/1GO+YVtC33/0Cpr0mQBJVaFlt/tmwwWd1EiBcRL1bQxF4D05n0
         zrI+lLwGbFY0tE8qR8tPqXTeXBkCINVFQjKduNpHQFh6LTBx3f64zory7vKL/H5z6p8O
         ucBx3ALJgH8WiemWq4W+gtz8s8DFICSlswPOSw8+EF/INuwKOMULjZS9Uwjrar6KK5iA
         g+YoJhiLY6/IixGWD6XQ/BTXompY7sL0Jm8VDaIze66ytTJ3cLmY9TWiSnRsr5bg7Fac
         cyZSFeAfPBZy2PhKHXM3iFzvTyeFlvuiBm5pgTD2zM+bb0Yb/DT/AsP+/BJ4GYseMeqM
         hWCA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s7si2649262eds.215.2019.10.26.22.49.00;
        Sat, 26 Oct 2019 22:49:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726079AbfJ0FsR (ORCPT <rfc822;luigi.mantellini.ml@gmail.com>
        + 99 others); Sun, 27 Oct 2019 01:48:17 -0400
Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:13490 "EHLO
        mail2-relais-roc.national.inria.fr" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1725935AbfJ0FsR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 27 Oct 2019 01:48:17 -0400
X-IronPort-AV: E=Sophos;i="5.68,235,1569276000"; 
   d="scan'208";a="408548235"
Received: from ip-121.net-89-2-166.rev.numericable.fr (HELO hadrien) ([89.2.166.121])
  by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Oct 2019 06:47:55 +0100
Date:   Sun, 27 Oct 2019 06:47:55 +0100 (CET)
From:   Julia Lawall <julia.lawall@lip6.fr>
X-X-Sender: jll@hadrien
To:     Joe Perches <joe@perches.com>
cc:     Andrew Morton <akpm@linux-foundation.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Dan Carpenter <error27@gmail.com>,
        Julia Lawall <julia.lawall@lip6.fr>,
        Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH] kernel: sys.c: Avoid copying possible padding bytes in
 copy_to_user
In-Reply-To: <dfa331c00881d61c8ee51577a082d8bebd61805c.camel@perches.com>
Message-ID: <alpine.DEB.2.21.1910270644590.3186@hadrien>
References: <dfa331c00881d61c8ee51577a082d8bebd61805c.camel@perches.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On Sat, 26 Oct 2019, Joe Perches wrote:

> Initialization is not guaranteed to zero padding bytes so
> use an explicit memset instead to avoid leaking any kernel
> content in any possible padding bytes.

Here is an extract of an email that I sent to Kees at one point that left
me unsure about what should be done about these situations:

From Kees:

    The only way to correctly handle this is:

    memset(&instance, 0, sizeof(instance));
    instance.one = 1;

From me:

Actually, this document:

https://wiki.sei.cmu.edu/confluence/display/c/DCL39-C.+Avoid+information+leakage+when+passing+a+structure+across+a+trust+boundary

says that memset is a "noncompliant solution".  They suggest declaring the
structure as packed, as well as some other more unpleasant solutions.
Their point is that 1 will be sitting in a register, and the assignment at
least might copy the upper bytes of the register into the padding space.

-------------------------

Is the memset solution nevertheless what is always wanted in the kernel
when there is padding?

thanks,
julia