Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp6464582ybl; Wed, 15 Jan 2020 05:11:53 -0800 (PST) X-Google-Smtp-Source: APXvYqwbHnCJ07VTklk33ex0cA0QpnGf1lGnaMrBuK866/JeaPwsDZz9uEKWcczx9I0lwRFqe+x9 X-Received: by 2002:a9d:24e8:: with SMTP id z95mr2647960ota.5.1579093912955; Wed, 15 Jan 2020 05:11:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579093912; cv=none; d=google.com; s=arc-20160816; b=PL7RVUeMNww4l7052Ef0Is47dSQl6y8SoRnvht+W8QfivqcUot76fzQRKCtQaqU61R MITrKve1clGOJMAxu/pR7xXj3PHvp7jNeIs6z4T6HVY2JKLf8alFjHxWEMCv47y4TU+F 5Fb1BYXIZPuOcSi8zeTK3rwJ862B/x3cyx58uEQKo3sGjGvLk3hYSo4Plb8SRj/UuJZW fJ0yUBINRzJdhgGHTM8Kcvk7VPEAxG7uXdplyF3u5Srz0l4zJpW2nx3qJMthLZaLiD3W t11yyl87nI1/X8lQEEJkao50Zo8+vpNL141bUxWwK8XM9r1bkcNGwj1IIwfEIiWqi6rv 4KEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:cms-type :content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:cc:to:subject:dkim-signature :dkim-filter; bh=ueSGlkXTpFk7VXNWLhrgWBJ0hToomm/X8o6QoUdinb8=; b=cM1rZKZz2dtiYcf4QG9CUxUjM2EEhJiZNsKi0udhj86JkmsLTK0kjI/VQa6t8yKJTo 4iDajKk7ksKHias9RcG1kTlgv2NCiqnc4hcGaBBnx014EmO7z02w2NqZynE1tARP57U6 02NDfod8zQNlVmfNDRfT5guUwxosE/imQEHls1+d1X+R2KFKevx8SWnEV1b0R+u+W6vr M9NZRBz78ZDdx6iuDw3mjAn/dTzEWxJxJJPtUOC3qvFIE6nMxCt78cu7/X09MjOblhft TpUHiFxN4reBAmz9IFPsU97gjh4/qc7F7v4og48pCh8oNVZR+EsQTFwpo4B9ZMgD0vkv qKhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=F2ewjwg9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k7si11133065otp.22.2020.01.15.05.11.39; Wed, 15 Jan 2020 05:11:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=F2ewjwg9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726483AbgAONJk (ORCPT + 99 others); Wed, 15 Jan 2020 08:09:40 -0500 Received: from mailout1.w1.samsung.com ([210.118.77.11]:37582 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726071AbgAONJk (ORCPT ); Wed, 15 Jan 2020 08:09:40 -0500 Received: from eucas1p2.samsung.com (unknown [182.198.249.207]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20200115130938euoutp01dad866682990e65cc118dbda39c48c01~qEWzWHoWr1900919009euoutp01f for ; Wed, 15 Jan 2020 13:09:38 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20200115130938euoutp01dad866682990e65cc118dbda39c48c01~qEWzWHoWr1900919009euoutp01f DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1579093778; bh=ueSGlkXTpFk7VXNWLhrgWBJ0hToomm/X8o6QoUdinb8=; h=Subject:To:Cc:From:Date:In-Reply-To:References:From; b=F2ewjwg9r/omc4RxFTFZ6/9ejp2YYMbOj2iI3m+gE4P1AEDxG8cqnETqo5AO5yVMK bPVz+c397OJj0OLUMEju34BFESLBbMe86MHbL0xYrWdh4Qg3jfstwJTudVp2xlc3Gg v3ctWe30hzg3E8B81666+xh/uI2TwZuBpf282Vvs= Received: from eusmges1new.samsung.com (unknown [203.254.199.242]) by eucas1p2.samsung.com (KnoxPortal) with ESMTP id 20200115130938eucas1p209b4204b639c05afc3880b4aa4ed47f1~qEWzACZoT1216012160eucas1p2t; Wed, 15 Jan 2020 13:09:38 +0000 (GMT) Received: from eucas1p1.samsung.com ( [182.198.249.206]) by eusmges1new.samsung.com (EUCPMTA) with SMTP id 5B.5F.61286.11F0F1E5; Wed, 15 Jan 2020 13:09:38 +0000 (GMT) Received: from eusmtrp2.samsung.com (unknown [182.198.249.139]) by eucas1p2.samsung.com (KnoxPortal) with ESMTPA id 20200115130937eucas1p2674b7613bb50697556ab3068985b8776~qEWynydpI1216512165eucas1p2r; Wed, 15 Jan 2020 13:09:37 +0000 (GMT) Received: from eusmgms1.samsung.com (unknown [182.198.249.179]) by eusmtrp2.samsung.com (KnoxPortal) with ESMTP id 20200115130937eusmtrp261b214e7212697676c420e59c0951e30~qEWym_ss00896208962eusmtrp2B; Wed, 15 Jan 2020 13:09:37 +0000 (GMT) X-AuditID: cbfec7f2-f0bff7000001ef66-c9-5e1f0f112373 Received: from eusmtip1.samsung.com ( [203.254.199.221]) by eusmgms1.samsung.com (EUCPMTA) with SMTP id 2E.FB.08375.11F0F1E5; Wed, 15 Jan 2020 13:09:37 +0000 (GMT) Received: from [106.120.51.71] (unknown [106.120.51.71]) by eusmtip1.samsung.com (KnoxPortal) with ESMTPA id 20200115130936eusmtip13802b1dead4248941f960f209aad27df~qEWxmaNxD2707427074eusmtip15; Wed, 15 Jan 2020 13:09:36 +0000 (GMT) Subject: Re: [PATCH] fbdev: potential information leak in do_fb_ioctl() To: Arnd Bergmann Cc: "Eric W. Biederman" , Joe Perches , Dan Carpenter , Andrea Righi , Daniel Vetter , Sam Ravnborg , Maarten Lankhorst , Peter Rosin , Gerd Hoffmann , dri-devel , Linux Fbdev development list , "linux-kernel@vger.kernel.org" , kernel-janitors@vger.kernel.org, security@kernel.org, Kees Cook , Julia Lawall From: Bartlomiej Zolnierkiewicz Message-ID: <6ed59903-afe7-d5b2-73eb-ca626616dd6f@samsung.com> Date: Wed, 15 Jan 2020 14:09:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA01SfUxNYRz2ds4993Tr1tu90m+F5o4mS7TMXqJly5zNbGqG2cSJs0L31u4t ZLZC9LUlUbgZfVglSW7qiqXuzUpqEZI1H1nJ1+6SihVdOp2a/nn3/J7f8+z3PNvLUqoMxpM9 oIsX9Do+RsMo6NrmsY7lKlfviJUnQshETrOcfLNfpEnhh7cUeTk6yJC/tSlykv++jyYlvW2I tGdqSU2PFxnoaaXI46zvMvLi/hWGFA7V0KTeeg2Rq03dDCkbq0GkayINhbhxv8dzEJfXmC/n 8pM7aa7+ZwHN1RnfyjlTeTrDXW0N4+rvHuTeZ7Y4cEMfe2hupPwVxV3P62K4wYeTz7BpIXfB mkpvdd2lWLdfiDlwWNCvCN6riK5saURxv+YdHT/dJk9GJnUGcmQBr4Jbg9l0BlKwKlyGIHPM KJOGEQSWkWwkDcMIat5lOcxYhm9kyUWswqUIJhr8JJENwWiFmREXarwJsopKkIjn4kWQ+3mA EkUUviyDJ386ZeKCwWvhXGr5lEiJg6EpfWCSZ1kaLwHzp1CRdsc74Udvk0ySuEHr5X5axI44 DJoKTk0ForAH9PRfm8beYLZdmboF+BELud2jSEodCu1nC6exGr623JVLeD78rRPNoqFysk3a 52m3GUHpeTsjqYLgTcc4I6ajsC/cvr9CojdA8b1sSqQBu8Brm5sUwgVyai9O00pIO6OS1D5Q VVLFzJzNqLtBZSONcVY146w6xll1jP/vFiC6HHkICQZtlGAI0AlH/A281pCgi/LfF6s1ockf 2mZv+XEPjT6PtCLMIo2zMvrPwgiVjD9sSNRaEbCUZq6y9dKCCJVyP594TNDH7tEnxAgGK/Ji aY2HMrDoy24VjuLjhUOCECfoZ7YOrKNnMsoz1buvflW3LcnT/9cW35DApNpzFb1O/SfJ7h2D pZrcbteA3NA+32fBPkETfavHXfRRZy3e25dWNK957fTzqV+4cyXv5EX3fhA2V0c6Hms4rq6K fz4nbucieyBvu2NuuNkcyQnXu8YSFZ3hzhZbiu5FmaX643r7A0tBsTpyy+KNGzS0IZoPWEbp Dfw/bb/g+J0DAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRmVeSWpSXmKPExsVy+t/xu7qC/PJxBlN6FC3+TjrGbvH633QW i4UP7zJbXPn6ns3i/7YWdovZ9x+zWCx7cJrR4kx3rsXWW9IWz26dZLY40feB1eLyrjlsFgs/ bmWx2HtoPqPFvMPX2SxW/NzKaHH1bwejg6DH71+TGD2mHZjN7jG74SKLx95vC1g8ds66y+6x aVUnm8e8k4Eee7dkedzvPs7k8fHpLRaPL6uuMXssmXaVzeP9PiDxeZOcx5RD7SwB/FF6NkX5 pSWpChn5xSW2StGGFkZ6hpYWekYmlnqGxuaxVkamSvp2NimpOZllqUX6dgl6GeuOH2As+C5W 8av1NHsD4ybhLkZODgkBE4nPK/vYuxi5OIQEljJKvPt1hKWLkQMoISNxfH0ZRI2wxJ9rXWwQ Na8ZJe5+PcQGkhAWcJfoW7SMEcQWEVCUmPriGTNIEbPAbFaJplVrWSE6ljBJdP64CNbBJmAl MbF9FVgHr4CdxOHOZ6wg21gEVCW2P3cBCYsKREgc3jELqkRQ4uTMJywgNqdAoMThBc1MIDaz gLrEn3mXmCFscYlbT+ZDxeUltr+dwzyBUWgWkvZZSFpmIWmZhaRlASPLKkaR1NLi3PTcYkO9 4sTc4tK8dL3k/NxNjMCkse3Yz807GC9tDD7EKMDBqMTDm/FHLk6INbGsuDL3EKMEB7OSCO/J GbJxQrwpiZVVqUX58UWlOanFhxhNgX6byCwlmpwPTGh5JfGGpobmFpaG5sbmxmYWSuK8HQIH Y4QE0hNLUrNTUwtSi2D6mDg4pRoYVZLvPc9be8d2yT4O8aeMf6REc2xL6/ladU/UmJzdVb7+ gd2BAJW5tcnTw7mW/Ah+sSXCOH7+rfpvsz4XXL3m1zhzb3f1DxfDtSfiMi+fXusYWNf8Tv5b 3OcnOdbuwTEBC3sOL80Tvpz80ikk4gm/ka68cuwkvo2Na/2tbD6JV6/eOa/9HXO4EktxRqKh FnNRcSIA0JCo2jADAAA= X-CMS-MailID: 20200115130937eucas1p2674b7613bb50697556ab3068985b8776 X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" X-RootMTR: 20191029190229epcas3p4e9b24bd8cde962681ef3dc4644ed2c2e X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20191029190229epcas3p4e9b24bd8cde962681ef3dc4644ed2c2e References: <20191029182320.GA17569@mwanda> <87zhhjjryk.fsf@x220.int.ebiederm.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/13/20 1:49 PM, Arnd Bergmann wrote: > On Fri, Jan 3, 2020 at 2:09 PM Bartlomiej Zolnierkiewicz > wrote: >> On 10/29/19 8:02 PM, Eric W. Biederman wrote: >>> >>> The goal is to avoid memory that has values of the previous users of >>> that memory region from leaking to userspace. Which depending on who >>> the previous user of that memory region is could tell userspace >>> information about what the kernel is doing that it should not be allowed >>> to find out. >>> >>> I tried to trace through where "info" and thus presumably "info->fix" is >>> coming from and only made it as far as register_framebuffer. Given >> >> "info" (and thus "info->fix") comes from framebuffer_alloc() (which is >> called by fbdev device drivers prior to registering "info" with >> register_framebuffer()). framebuffer_alloc() does kzalloc() on "info". >> >> Therefore shouldn't memcpy() (as suggested by Jeo Perches) be enough? > > Is it guaranteed that all drivers call framebuffer_alloc() rather than > open-coding it somewhere? > > Here is a list of all files that call register_framebuffer() without first > calling framebuffer_alloc: > > $ git grep -wl register_framebuffer | xargs grep -L framebuffer_alloc > Documentation/fb/framebuffer.rst > drivers/media/pci/ivtv/ivtvfb.c > drivers/media/platform/vivid/vivid-osd.c > drivers/video/fbdev/68328fb.c > drivers/video/fbdev/acornfb.c > drivers/video/fbdev/amba-clcd.c > drivers/video/fbdev/atafb.c > drivers/video/fbdev/au1100fb.c > drivers/video/fbdev/controlfb.c > drivers/video/fbdev/core/fbmem.c > drivers/video/fbdev/cyber2000fb.c > drivers/video/fbdev/fsl-diu-fb.c > drivers/video/fbdev/g364fb.c > drivers/video/fbdev/goldfishfb.c > drivers/video/fbdev/hpfb.c > drivers/video/fbdev/macfb.c > drivers/video/fbdev/matrox/matroxfb_base.c > drivers/video/fbdev/matrox/matroxfb_crtc2.c > drivers/video/fbdev/maxinefb.c > drivers/video/fbdev/ocfb.c > drivers/video/fbdev/pxafb.c > drivers/video/fbdev/sa1100fb.c > drivers/video/fbdev/stifb.c > drivers/video/fbdev/valkyriefb.c > drivers/video/fbdev/vermilion/vermilion.c > drivers/video/fbdev/vt8500lcdfb.c > drivers/video/fbdev/wm8505fb.c > drivers/video/fbdev/xilinxfb.c > > It's possible (even likely, the ones I looked at are fine) that they > all correctly > zero out the fb_info structure first, but it seems hard to guarantee, so > Eric's suggestion would possibly still be the safer choice. I've audited all above instances and they are all fine. They either use the fb_info structure embedded in a driver specific structure (which is zeroed out) or (in case of some m68k specific drivers) use a static fb_info instance. Since fbdev is closed for new drivers it should be now fine to use the simpler approach (just use memcpy()). Best regards, -- Bartlomiej Zolnierkiewicz Samsung R&D Institute Poland Samsung Electronics