Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1099750ybg; Mon, 27 Jul 2020 07:56:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyUu1npHBcoK6cQS2isMKqdk8vhBYBL48KPqB9D707Hb7TsPuLozqDztt7Cpzi4n8v7I599 X-Received: by 2002:aa7:d6cf:: with SMTP id x15mr21106603edr.164.1595861772815; Mon, 27 Jul 2020 07:56:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595861772; cv=none; d=google.com; s=arc-20160816; b=phnfXelQBrw/KuJ6uKhHBFRYSjt9Ptn65j2oLrz4Ab0nOpgi9dayAInRYS+v01DbSN Ijmd4ugjzCnv8F+xh4LHoh82bQg1gTGrkfrAfya//wbJ89Fh1VEUHN81eZ3p/aU0nQpH M7V0WD8+v4mq99TXwkkop4aC2CU0MQcXrhNubl5n6pGmtLECHefvhF3hHQRG41kMTDiu cy8lSOoPJLzoJjY9xmumta3VqxXKW3JU7yw92IbbXtEOCBeb0XaA7+K+GArxWf6dX6e7 6Yi50djSkzUeLlwc8pkMeuNvx30yJoNrcbVDxzb9mzQea9qttCWwk+MhXU6HGeaOiv7f vmdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=NaOwtwYM6QEalVVil8iDbWgvOTjuLmH96DbOLX9o4X0=; b=reCC0a95ecqHoCPtpXhOp2MydOnPcpibdUYqahn1Wdb8XvjUrSBh1wYkj/PZ/iX22W 2alUNAS8zO07PdcCHkr+Z4Z5p91sDLskF5PNXjts9vAxZSrVjfEnsI9b5XQnljHe1kh+ 5eIM1zuTrSimEM9I989W1hEvpdST5koGJs6F8GAo0L6AmSV1VNmU/Si/4Y40snNCjhRN 7mfKeVyXoaZ3we7V0oCa7xBsITJvGmInquF4TDKMJOVvcVtzvFHYZpMzGTCygmRoktKP UOV6/atR0+e0fqPvc63387cnb3Ti3P2u5pOGRWXeskLTDkVEFASwTswFrAeXkDBCAr1C aL6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bh13si5768462ejb.48.2020.07.27.07.55.50; Mon, 27 Jul 2020 07:56:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729216AbgG0OzX (ORCPT + 99 others); Mon, 27 Jul 2020 10:55:23 -0400 Received: from mout.kundenserver.de ([212.227.126.187]:36535 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728593AbgG0OzX (ORCPT ); Mon, 27 Jul 2020 10:55:23 -0400 Received: from mail-qt1-f176.google.com ([209.85.160.176]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.129]) with ESMTPSA (Nemesis) id 1M1rGy-1jxrbk3MBU-002EwH; Mon, 27 Jul 2020 16:55:21 +0200 Received: by mail-qt1-f176.google.com with SMTP id a32so12388268qtb.5; Mon, 27 Jul 2020 07:55:20 -0700 (PDT) X-Gm-Message-State: AOAM533ZWz0enoIgMN0JE8JFROIGl461VIVcMTiHe2Z7S1MsrzAZZ1fy W0aPOd+sqKZ2zAnni0baLsQQ+DfCTt131kJTXJA= X-Received: by 2002:ac8:4652:: with SMTP id f18mr4923449qto.142.1595861719558; Mon, 27 Jul 2020 07:55:19 -0700 (PDT) MIME-Version: 1.0 References: <20200726220557.102300-1-yepeilin.cs@gmail.com> <20200726222703.102701-1-yepeilin.cs@gmail.com> <20200727131608.GD1913@kadam> <20200727144335.GB2571@kadam> In-Reply-To: <20200727144335.GB2571@kadam> From: Arnd Bergmann Date: Mon, 27 Jul 2020 16:55:03 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user() To: Dan Carpenter Cc: Peilin Ye , Mauro Carvalho Chehab , Greg Kroah-Hartman , syzkaller-bugs , Hans Verkuil , Sakari Ailus , Laurent Pinchart , Vandana BN , Ezequiel Garcia , =?UTF-8?Q?Niklas_S=C3=B6derlund?= , linux-kernel-mentees@lists.linuxfoundation.org, Linux Media Mailing List , "linux-kernel@vger.kernel.org" , Linus Walleij Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:tg/AoHCEOzFAvg7gpivm7llDARO5ETgYItX/UyNLv11Hj+kUEss gaoEZqF9Swg/frhxewZMg9np3RCE8raNgC8ifNllb/2kfx9JXS/lpMeXQj+12lADYBftr4C 5ZnjmUFYNLZ2i/SKgmvJ3NpOxAVewrdOxuX169B0fKxB5Joo/4933kfNlVhejQc+DYsIkdT QfzF1CVkSuqzlvs0yjJ4A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/gJ4HQPTSlA=:wK7KjLlZvMxrMBqGlgrOEl C6EwE3AgVo1zSP7IpVa33AMGlCVKQg5Zc5b9knmZCKjhTTey8rr324tkm4gRqtg6zOn7tHg8v uZfE4F8RVgfydtO7QcBkqd3ThzLh34apHEeAE+czrGQMiPrD1RYdni9lxILFSEvQ+TluXsaZI +6fZFucgrJlAYi6uTL1rm24BQZ0S4YIl2qh42fBL2yo2yO7gF785b/QidG/euLr8nEJlnrC+e ybyI+PGXUaHkqvL+vnzNGHzFu4bkFpMK83qR5NnLfyQw+qsTQC4s3EJ54wZ2fyPbTvHlQi5FV 7eIHAwkCI9z9gFD8RBGP3679fF3w+KhW7fUQwMDQrIeflsgLLwjaZZCdfkfF5WPbksoX64U9u f6VTTxWTt5CLVNzoOmv2Vvvd5KQKzSSYaX9+p1QJeDZ0mWP35c6Ll/jhqDgEK1VZ9+W0nhxJB y7c8hcpMbS/0rthFWxJkrcwU+rBHgRHf92zf1lMd71o0ZEQz5+1h6WCEnZ5isX4D6ou+pACeO yiOPOn1K9kLNB6HupDV9qO5CX3SGV7yTJbaouNVcQ5rxEUFYAExaNxEX7P3adupDVxPX6oE2A 3evrpnfcgNPf2TvbGOa+yCq24tELJ3054emLX/JE35o0kvIg36miAcSUOGOVawj/yr+QRx9qn TjKz2c6A7iKOBVbumWnUDkznQnH3s105E36io3PEmrxHoOPzcuy1j7aHWKPMvHRMHNgr02ds9 8hOf+N9I0cp1rED498wkQfcRm19Cr+539pKmooSvRWipVtCZDAM4Q13WMaJ0kusE58GHM9ncs Hyyw/oX+bYYy01LUdJ7lBed2eyMFtMDPpxsImOQGc2ZrwRU3WlOi+oCKT4HrMTkOFsZFIw1cw H/ERaHBb2Lut0TYrgrsIQo83fZVABCuU4aaClyF5VXn/rjJSNluW8GGdg0PZLnisI2zYThrTa lwLC2cn7oHiSCyeUHOnkIGFuSZSmhuoQRQkYEz+8n12UyceBN5ADh Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2020 at 4:43 PM Dan Carpenter wrote: > > On Mon, Jul 27, 2020 at 04:05:38PM +0200, Arnd Bergmann wrote: > > On Mon, Jul 27, 2020 at 3:16 PM Dan Carpenter wrote: > > > > > > On Mon, Jul 27, 2020 at 09:25:16AM +0200, Arnd Bergmann wrote: > > > > On Mon, Jul 27, 2020 at 12:28 AM Peilin Ye wrote: > > > > > > > > > > video_put_user() is copying uninitialized stack memory to userspace due > > > > > to the compiler not initializing holes in the structures declared on the > > > > > stack. Fix it by initializing `ev32` and `vb32` using memset(). > > > > > > > > > > Reported-and-tested-by: syzbot+79d751604cb6f29fbf59@syzkaller.appspotmail.com > > > > > Link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59 > > > > > Reviewed-by: Laurent Pinchart > > > > > Signed-off-by: Peilin Ye > > > > > > > > Thanks a lot for addressing this! I now see that I actually created a similar > > > > bugfix for it back in January, but for some reason that got stuck in my > > > > backlog and I never wrote a proper description for it or sent it out to the > > > > list, sorry about that. I would hope we could find a way to have either > > > > the compiler or sparse warn if we copy uninitialized data to user space, > > > > but we now don't even check for that within the kernel any more. > > > > > > Here are my latest warnings on linux-next from Friday. > > > > Ah, I forgot you had that kind of list already, thanks for checking! > > > > > block/scsi_ioctl.c:707 scsi_put_cdrom_generic_arg() warn: check that 'cgc32' doesn't leak information (struct has a hole after 'data_direction') > > > > I see no padding in this one, should be fine AFAICT. Any idea why you > > get a warning > > for this instance? > > > > The warning message only prints the first struct hole or uninitialized > struct memeber. ->data_direction in this case. > > block/scsi_ioctl.c > 646 #ifdef CONFIG_COMPAT > 647 struct compat_cdrom_generic_command { > 648 unsigned char cmd[CDROM_PACKET_SIZE]; > 649 compat_caddr_t buffer; > 650 compat_uint_t buflen; > 651 compat_int_t stat; > 652 compat_caddr_t sense; > 653 unsigned char data_direction; > > There is going to be 3 bytes of padding between this char and the next > int. > > 654 compat_int_t quiet; > 655 compat_int_t timeout; > 656 compat_caddr_t reserved[1]; > 657 }; > 658 #endif > > The bug seems real, but it depends on the compiler of course. Right, I misread the single 'char' in there. > > > drivers/input/misc/uinput.c:743 uinput_ff_upload_to_user() warn: check that 'ff_up_compat' doesn't leak information (struct has a hole after 'replay') > > > > This one hs padding in it and looks broken. > > No. This a bug in smatch. It's memcpy() over the hole, but the check > isn't capturing that. The code is slightly weird... I could try > silence the warning but it would only silence this one false positive so > I haven't investigated it. Ah right, and the structure it copies in turn comes from user space originally. > > > drivers/scsi/megaraid/megaraid_mm.c:824 kioc_to_mimd() warn: check that 'cinfo.base' doesn't leak information > > > > Seems fine due to __packed annotation. > > > > It's not related __packed. Smatch is saying that cinfo.base isn't > necessarily initialized. > > drivers/scsi/megaraid/megaraid_mm.c > 816 > 817 case MEGAIOC_QADAPINFO: > 818 > 819 hinfo = (mraid_hba_info_t *)(unsigned long) > 820 kioc->buf_vaddr; > 821 > 822 hinfo_to_cinfo(hinfo, &cinfo); > > hinfo_to_cinfo() is a no-op if hinfo is NULL. Smatch can't tell if > "hinfo" is non-NULL. Ok, that sounds fair, I couldn't easily tell either ;-) Arnd