Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp838725ybg; Mon, 27 Jul 2020 00:27:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwYVJTKtJgMXqeBmie+ay+OtC35thUfYTD5Fu/VNxQClO3mMOORM+dz/HFnXjO9M64xdd1B X-Received: by 2002:a05:6402:204f:: with SMTP id bc15mr18770121edb.70.1595834821507; Mon, 27 Jul 2020 00:27:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595834821; cv=none; d=google.com; s=arc-20160816; b=zMc/gp0FvsOsVUGxwXn5peVGL5W4luYduo1XWsvVSl/Txy+rUECkhrXjo/1Cx1QLaN f7+QvzWBF3TTAitIFhKQo/DaMjlz6nkouYV7j+IQHqlR9QTiAsp+9lYQCO/K7C0dVCR2 V12p2Jwh2F2+qxg/nW6LA94QbD32UMxN1KF3e2yNaJlEZzrOFGOAlGsiKnwFT0lmRdya B7S5t7dvsBHTlJUuvi7vG+G3WCkKmW2WUt+nFRAnn0hGtKr93ICRE8ob4wEsa+Y3WUQc kzxJgujML5DswoD5QWg2Jk9MYOfaC9u7ol1SbUycjCRhHCosbXdCFaI4xnuiPsE0YwVr dvEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=ojT0brnzJG1rOyw+VJcXP+//bXdDSzdgJIyGj/mB9+M=; b=UH+xrf9JFchQw7/fKANGvuibDKjaVmGoJa5tC4W99ACtGrUsugrJE8hzPMQV9IDmiQ TORr7xeQ/CJXkRDjR6wM2CKTY5SwCw62oOJv92hSz0IPh2ZeSRxPS7ivD+rm+oP5iRlY Xuk/SK+J5FXQWR4Irwe/4wZHvk1Z+Z6WTEUC0qNTz4MEoO6zqcJG3COLqI1iv8gV2CGO Nbi8OswGzd9maf3tmtqHSLyeKbORLVtCVV3M3E+kjA3oZVd4sqezT+aEHjYAg9hlc/BO tLUJLQZeQQ3F60Bw9SdedLYobwnbAIg2H8ChjQy7Ltm0aztujh8JH8bzIz4wpRqN4kb6 fUew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q8si1879730ejo.528.2020.07.27.00.26.38; Mon, 27 Jul 2020 00:27:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726575AbgG0HZg (ORCPT + 99 others); Mon, 27 Jul 2020 03:25:36 -0400 Received: from mout.kundenserver.de ([212.227.126.133]:52995 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726116AbgG0HZg (ORCPT ); Mon, 27 Jul 2020 03:25:36 -0400 Received: from mail-qt1-f174.google.com ([209.85.160.174]) by mrelayeu.kundenserver.de (mreue009 [212.227.15.129]) with ESMTPSA (Nemesis) id 1MrQN5-1kc6LS1RQ7-00oSaW; Mon, 27 Jul 2020 09:25:33 +0200 Received: by mail-qt1-f174.google.com with SMTP id k18so11476309qtm.10; Mon, 27 Jul 2020 00:25:33 -0700 (PDT) X-Gm-Message-State: AOAM532evHLRZt1xnU3P9FMl3ZraIadYspfVI5Vomrdbvzy9ZxVO1OPI qxumO0Av/Q4pPojkPWhRX+2CehV5T+ovqeEIF5E= X-Received: by 2002:aed:33e7:: with SMTP id v94mr18147736qtd.18.1595834732135; Mon, 27 Jul 2020 00:25:32 -0700 (PDT) MIME-Version: 1.0 References: <20200726220557.102300-1-yepeilin.cs@gmail.com> <20200726222703.102701-1-yepeilin.cs@gmail.com> In-Reply-To: <20200726222703.102701-1-yepeilin.cs@gmail.com> From: Arnd Bergmann Date: Mon, 27 Jul 2020 09:25:16 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user() To: Peilin Ye Cc: Mauro Carvalho Chehab , Greg Kroah-Hartman , syzkaller-bugs , Hans Verkuil , Sakari Ailus , Laurent Pinchart , Vandana BN , Ezequiel Garcia , =?UTF-8?Q?Niklas_S=C3=B6derlund?= , linux-kernel-mentees@lists.linuxfoundation.org, Linux Media Mailing List , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:Pvkn78eH0tOJf1RFljQq0oDnVVH7E+/mtWTzh0OZ61SmInkuDGg lQ3UluJCbw1dkfypL+PduslEGlPeO2uD+Lj3fwuYYLKKtFhvZTcugw5EqR1eaxlq567DoAO +XBUvz2a442uXtXHTLTJ0FVCQ/oClATX8n9+XvvAQcwIgbpinnBpxyn311yh8YgiTdoNEuS n2vMJker2LIcbxoXziSrA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:l8yhX0La2Kw=:H87blivzVsgm1iYavydGII QPGdLMTp92t8lUhTRnAALef8MV9tOwxvzVOYIjqyjS2kmqsjU3vIYXIs48ahj1ZlRaP/sp/vu 3B+v1yEreVmaKyynRVfr2pHMKLfmDDzmyJ2e2DXqNwrnHOM3Glr6GJ03Trw+U5fJAJS5SHPOQ uO7+n8rNUSk+5qub8bEw13yBaXtRtlxVEnPmOmRI0nEdWyXx+dugVhsC19qirqQf9Wv6NjlKf koAt4ieGEVWppFB3sNx0MaQV65V7423su4SS06OWeq+ugs9/w3G0XosYQpTvahKteRmsPKFIl 8WZLLkHGJNwVF6veBxCXNmCZXaJX8xNxddgaWhrSF4j2g9V76VuT9Po4VzRk7+p9rk2ngBn5y R74+gOAk8OtyZYt6mbaZitvMkjVLp00CulPvqCGVUwJZyPUHAOtU11m3HM/DG2SrZGpOk82iw D+unrqN3nxvA5sB9K/YTdF9mY6if7XMBzHgsvPOZdmmlosyBZ9yaA93F3qcu/6AlJxGK+3QFN Kf/TJ76qZFqe63Jz2KCtLetPX8A/IQXu7wBHn5pu7HDVK+qjjdNikrYyfn3ckysAjjfleGMeb Nm8CWsHJcDI3sTe8oC+vm4iEQp+amyLMAdAoSha55/UUM0qe+8drnn5Irmu+MBeiot3ic6GHG eTnRs8e2dkVDHMabPsls5Oc3GWldlYYJ7Jl3rbY6bgsXWgt56Sz8J/piopWWwOLD/5TRzlpN0 PuxjoCuD2fAD6ZC2hvZC9cbbmMaCIPivKQ+6XwC0+o5pa8AsD5/alD2yH3QZZz7lO3PGkBReh et9bmtcjn2GUFjpRkKcKy4YLPJ+olxpLrNWqZ3pYzdQv7itsqCojzez8zmII8RjWun4Ljm1vS AhBfx6ZwjN4CXetQokg8iWRtvZXSb3czRjjngwDILilNwxV3NvEhr0BAc87lTPjvesJ/bsIG2 yZ7Dx4js7OllOYMstz+5fdPkHhRBdm4Pq2lgRVW2IBlUX9Tnwp5BL Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2020 at 12:28 AM Peilin Ye wrote: > > video_put_user() is copying uninitialized stack memory to userspace due > to the compiler not initializing holes in the structures declared on the > stack. Fix it by initializing `ev32` and `vb32` using memset(). > > Reported-and-tested-by: syzbot+79d751604cb6f29fbf59@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59 > Reviewed-by: Laurent Pinchart > Signed-off-by: Peilin Ye Thanks a lot for addressing this! I now see that I actually created a similar bugfix for it back in January, but for some reason that got stuck in my backlog and I never wrote a proper description for it or sent it out to the list, sorry about that. I would hope we could find a way to have either the compiler or sparse warn if we copy uninitialized data to user space, but we now don't even check for that within the kernel any more. I would suggest adding these tags to the patch, to ensure it gets backported to stable kernels as needed: Cc: stable@vger.kernel.org Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI") Fixes: 577c89b0ce72 ("media: v4l2-core: fix v4l2_buffer handling for time64 ABI") In addition to Reviewed-by: Arnd Bergmann