Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2038350ybb; Thu, 2 Apr 2020 11:54:16 -0700 (PDT) X-Google-Smtp-Source: APiQypJo7vWK0xhWRx9cP6ogFiVL3CXF7dHvq4KNQA3PNvL9yJn96loeDTfPOrt7f5Va5LYEoi0m X-Received: by 2002:a9d:6a12:: with SMTP id g18mr3461503otn.19.1585853655958; Thu, 02 Apr 2020 11:54:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585853655; cv=none; d=google.com; s=arc-20160816; b=iAWYoD7qOYQVMY56M+49a7WVbwoR4YasxZTq6hUvUoI9Ytn92ziLMK9FYCGKh20pFt SJlIngzhKh+1XZgT+pG0XyVmCnVg2z1zAyzQJbGsqW+jY8D8+KdyXI48j16XxOLd657G 3A8A3AL8aBgFgiPHYnmpm3bWkiK/myCYSqNNcVaKwazRwdzkXsclfRJVjNlhg17WQMfh Uqkm3CCNJ6zT+SfztKN8nfr/4fXV35/xgIoJFWrFxSWFbUkt9OgSOsPszWHlcVb8pGlN 2b94DkTg35TONL0smzWKmy//mjMZtG0DnDWpN58qCEygxWusw6O/O/inWYoEaCZmBTUL n4mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=P8GPc/oCNFWYvr8o1vrL2HUljU6S8UHbcW/tUxbq0y0=; b=GjPHB2+05MglfC68XvjrkBAjNoI12x3D/XVkA0l1q7+FGHTmjN8L0zKWYYty5pQSgw zN4DazA13sw82UzflQzfoLNYOBzesdZzTTd0QSQfAKCFEBK84p9C1w5qw2wXF5UeqB/1 8PvfQn3A6J73L3ijXscF0QxZJYkRcGQcVTaNuccZspHG2yc6E2ld7+aSiR/hEk44bLjZ 5Ej/OLRU6k0QvSMED0fIjmaQGFjX3gcfZOV2aZw10X2mtSTQ56FkxYKnFK4N2UazEyDB 1HToqFzzHKQzx3JjR9qltRxhDd0rznd2H7ub2RBTP0EkFl/+V/qbGRNp97XwbUv+usuo f95w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r82si2830553oia.155.2020.04.02.11.54.03; Thu, 02 Apr 2020 11:54:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389747AbgDBSxX (ORCPT + 99 others); Thu, 2 Apr 2020 14:53:23 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:43444 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732214AbgDBSxX (ORCPT ); Thu, 2 Apr 2020 14:53:23 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id E08941C30CA; Thu, 2 Apr 2020 20:53:21 +0200 (CEST) Date: Thu, 2 Apr 2020 20:53:21 +0200 From: Pavel Machek To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Maciej =?utf-8?Q?=C5=BBenczykowski?= , John Stultz , Alexander Potapenko , Alistair Delva , Daniel Borkmann , Yonghong Song Subject: Re: [PATCH 4.19 105/116] bpf: Explicitly memset the bpf_attr structure Message-ID: <20200402185320.GA8077@duo.ucw.cz> References: <20200401161542.669484650@linuxfoundation.org> <20200401161555.630698707@linuxfoundation.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline In-Reply-To: <20200401161555.630698707@linuxfoundation.org> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > From: Greg Kroah-Hartman >=20 > commit 8096f229421f7b22433775e928d506f0342e5907 upstream. >=20 > For the bpf syscall, we are relying on the compiler to properly zero out > the bpf_attr union that we copy userspace data into. Unfortunately that > doesn't always work properly, padding and other oddities might not be > correctly zeroed, and in some tests odd things have been found when the > stack is pre-initialized to other values. >=20 > Fix this by explicitly memsetting the structure to 0 before using > it. Is not that a gcc bug? I mean, that's seriously unhelpful behaviour =66rom security perspective. Is there any reason to believe this is not causing problems elsewhere? $ grep -ri "=3D {}" . | wc -l 2152 I'm pretty sure many of these are before return to userspace... I picked one at random: =2E/drivers/media/cec/cec-api.c-static long cec_adap_g_caps(struct cec_adap= ter *adap, =2E/drivers/media/cec/cec-api.c- struct cec_caps __use= r *parg) =2E/drivers/media/cec/cec-api.c-{ =2E/drivers/media/cec/cec-api.c: struct cec_caps caps =3D {}; =2E/drivers/media/cec/cec-api.c- =2E/drivers/media/cec/cec-api.c- strscpy(caps.driver, adap->devnode.dev.pa= rent->driver->name, =2E/drivers/media/cec/cec-api.c- sizeof(caps.driver)); =2E/drivers/media/cec/cec-api.c- strscpy(caps.name, adap->name, sizeof(cap= s.name)); =2E/drivers/media/cec/cec-api.c- caps.available_log_addrs =3D adap->availa= ble_log_addrs; =2E/drivers/media/cec/cec-api.c- caps.capabilities =3D adap->capabilities; =2E/drivers/media/cec/cec-api.c- caps.version =3D LINUX_VERSION_CODE; =2E/drivers/media/cec/cec-api.c- if (copy_to_user(parg, &caps, sizeof(caps= ))) =2E/drivers/media/cec/cec-api.c- return -EFAULT; =2E/drivers/media/cec/cec-api.c- return 0; =2E/drivers/media/cec/cec-api.c-} Should we fix gcc, instead? Best regards, Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCXoY0oAAKCRAw5/Bqldv6 8jBPAKCO1CPqb2VuZvn3ff2zklH3fQ078ACfTyBx2FZF/flzA/HwPuDghMC7+pg= =skZm -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI--