Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3908937ybl; Mon, 13 Jan 2020 04:50:57 -0800 (PST) X-Google-Smtp-Source: APXvYqxUmXdywgrV5G6XPc0LWZGFvIuQEBdwyex4jkNVm1XrUWKMuUdWHYSVNo1OhUK0Q2f/S9w6 X-Received: by 2002:aca:52cd:: with SMTP id g196mr12715578oib.18.1578919857331; Mon, 13 Jan 2020 04:50:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578919857; cv=none; d=google.com; s=arc-20160816; b=tn7lR8tQPN1RHXrfjxExDGNTg3ZDIXVjx4jgsWTqQ7ozD8KDliFPWAt2eupxHrM+9z ckicgnrZPsP8BnZ8VND0wGfHU0JlZ5s5QCCUlpBAFjkh42Y70GQ0QFTsiRfv2B97aFGO HFw+d/xOOni8RaQiht5tSKbLdZJAJ545wxtYTJG5h8z9OFvdkXCqSJyWFWiiT2L8+ouo JAA8OzK0J8kYvmMfb5P5rGTH/Q2XO8E3psmqYbd/VE8i2wLae9BaCMNMat7LGgJmE1q4 OxEABsaajWv7+D7k2tg/6+YY9v4YjEYeizdBaq4oD2CpHe0X72vnyGaSfME25KCFik2l 85EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=/4ySZxO8e7UGBuQmXS9MRa+nHZ/hss6rJAiUujXgQsE=; b=iOnDc2t2fgvqxpxj8CP29iqsOI11fikL6zudbn1/2kk72WOTJddO1lO4hn1SXqE/g7 sslbDt0BipirSMjXx4nuGXJMODVb5qoRZwKiB8PU9TEuDFm6XP/IuXXeDEM/Chtwb/NY F4uCdjKgCnYFWzqNuz0fgX3XrrWygGCh1R0Po0wuIZw3UIpspbUbLux6ZDC62S8WuiKn kT2OI5lAtcNae+ujZg/ACuq+TqbkmP8C5P408I0MzdgoPEnW0MCTY+Sz2oIYRAnrnJiZ zS6p63ydac9tT8I7ov4Ci5+uuiC1+nkQ7rMBJr88gzQOrOBo5JkDryC5Vrwx8BYsx10n 4crw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g14si6666677otl.258.2020.01.13.04.50.45; Mon, 13 Jan 2020 04:50:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728738AbgAMMtv (ORCPT + 99 others); Mon, 13 Jan 2020 07:49:51 -0500 Received: from mout.kundenserver.de ([212.227.17.13]:59001 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726375AbgAMMtu (ORCPT ); Mon, 13 Jan 2020 07:49:50 -0500 Received: from mail-qt1-f178.google.com ([209.85.160.178]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.145]) with ESMTPSA (Nemesis) id 1MGi6m-1ivuqF03wQ-00DrnK; Mon, 13 Jan 2020 13:49:49 +0100 Received: by mail-qt1-f178.google.com with SMTP id d5so8957935qto.0; Mon, 13 Jan 2020 04:49:48 -0800 (PST) X-Gm-Message-State: APjAAAUL/nH/v9bWPYRP8YJpHanBsQwHTVZb607yHl2wwT5fuWQyIxSM qlDNPAIcKddfz+9xeQUDwo61b4pqsbU3Y2SPP0I= X-Received: by 2002:ac8:709a:: with SMTP id y26mr13837250qto.304.1578919787752; Mon, 13 Jan 2020 04:49:47 -0800 (PST) MIME-Version: 1.0 References: <20191029182320.GA17569@mwanda> <87zhhjjryk.fsf@x220.int.ebiederm.org> In-Reply-To: From: Arnd Bergmann Date: Mon, 13 Jan 2020 13:49:30 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl() To: Bartlomiej Zolnierkiewicz Cc: "Eric W. Biederman" , Joe Perches , Dan Carpenter , Andrea Righi , Daniel Vetter , Sam Ravnborg , Maarten Lankhorst , Peter Rosin , Gerd Hoffmann , dri-devel , Linux Fbdev development list , "linux-kernel@vger.kernel.org" , kernel-janitors@vger.kernel.org, security@kernel.org, Kees Cook , Julia Lawall Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:Z86KGNz51oiEIbBwBmTRv1ygKjG0C0oJVToiYX8G7GmKClLf85N NxX50AhreeFufMRAYcsX5mIWe4vF1q9dqwzjp1me5o9Om9Wzb9DVtsQMhOXuXWvKCjz3Wht Fh/iCbvwpJOj3Wi6jtF9ISpm9Xw8l9kX7Yku9tQwJGTbpwbeb9Zq1lVn8KRVF6ImrXa000T PBOk7r2qkNiADqHmh/adQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:9wOE/U8AERY=:AyuhiL5DijWN3TEddRb/Vh RXvq/IR8r+JpcYSRGy3udJCcE7aKqDhokzRZN7q6EOKhFcLZhSGBQLIt6Swp//hcYAcEPfiSK BuMqRA1UOsO5ftu1CHaNCyOKlVi2yvQCPpt25UKVu3ImQwebEe2jILvL63oXQYFUJgWbVytSg CXiFleX9B+hI3Ou5/5PCdxlz95kHHEGrzdsAZlQJ6gtand+Jo+x9Vb0Keu8QaH6QY5v4ZDGK/ Q1NIewK1EptszTFZhm4Tj0OWxxxMIQDfTTaRRwUUIp0URIyGn3Lk6l1PHALMbt/RPyNbb/g1Q p4K5PujpLsdnPdOAfwT4LaRlwF6+quugJiWLQA5yyLGxZ63DuaclfDTPcxWm5A72kjdeHbMaT B4jYnGIMbCltmcWQjx/lo1OgXR8hoYCKGGaS6LMOTvWhXAt9kDmXa+4AP3sC+TYZ+cs+km+Ht kpCCIZNjDyBb0BqjOmrA8oBlVp4QwU5aMK2u2j3d2HTZjhkee0NvYuPu/2Q5RRTXuUEtRhZ6r uABrdiRsbwOXThMhbsftOa/COk1O86y18Vs8Vdkb8rlv8+TjAaTZ8IYU6TZmQCmm5o6CYB6+5 6JQB40q4vK4fQS4sXxYI0RoOmoNZfHHOAYHkQiqiXNz8kh+iVwsNy6FEP/Ze97lqR9YrUL+ws +NaK1plV8BoqQtHD7v+3wa+HdKXQ8sYHKgEiphjEvTUF3KXXtxHt3IAmW97iGoc5UcF4k1sx+ +41lZMgHtGK3nz6LZ88B5UXwju2Pi6yBkQGs5kfcCMM7ZnwN+52HHYLqFcT27JzhGwNULgKK+ FrFUGEKDdn4OHPDjpdRKsz/pkmiTJnjoYRa8xIjokp1fdeQAGjcvzhgfxGMX7jOSkihqNr2QW f2eMJznjCBvCzqPcocMg== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz wrote: > On 10/29/19 8:02 PM, Eric W. Biederman wrote: > > > > The goal is to avoid memory that has values of the previous users of > > that memory region from leaking to userspace. Which depending on who > > the previous user of that memory region is could tell userspace > > information about what the kernel is doing that it should not be allowed > > to find out. > > > > I tried to trace through where "info" and thus presumably "info->fix" is > > coming from and only made it as far as register_framebuffer. Given > > "info" (and thus "info->fix") comes from framebuffer_alloc() (which is > called by fbdev device drivers prior to registering "info" with > register_framebuffer()). framebuffer_alloc() does kzalloc() on "info". > > Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough? Is it guaranteed that all drivers call framebuffer_alloc() rather than open-coding it somewhere? Here is a list of all files that call register_framebuffer() without first calling framebuffer_alloc: $ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc Documentation/fb/framebuffer.rst drivers/media/pci/ivtv/ivtvfb.c drivers/media/platform/vivid/vivid-osd.c drivers/video/fbdev/68328fb.c drivers/video/fbdev/acornfb.c drivers/video/fbdev/amba-clcd.c drivers/video/fbdev/atafb.c drivers/video/fbdev/au1100fb.c drivers/video/fbdev/controlfb.c drivers/video/fbdev/core/fbmem.c drivers/video/fbdev/cyber2000fb.c drivers/video/fbdev/fsl-diu-fb.c drivers/video/fbdev/g364fb.c drivers/video/fbdev/goldfishfb.c drivers/video/fbdev/hpfb.c drivers/video/fbdev/macfb.c drivers/video/fbdev/matrox/matroxfb_base.c drivers/video/fbdev/matrox/matroxfb_crtc2.c drivers/video/fbdev/maxinefb.c drivers/video/fbdev/ocfb.c drivers/video/fbdev/pxafb.c drivers/video/fbdev/sa1100fb.c drivers/video/fbdev/stifb.c drivers/video/fbdev/valkyriefb.c drivers/video/fbdev/vermilion/vermilion.c drivers/video/fbdev/vt8500lcdfb.c drivers/video/fbdev/wm8505fb.c drivers/video/fbdev/xilinxfb.c It's possible (even likely, the ones I looked at are fine) that they all correctly zero out the fb_info structure first, but it seems hard to guarantee, so Eric's suggestion would possibly still be the safer choice. Arnd