Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp146989ybg;
        Tue, 28 Jul 2020 02:13:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzuIndsd1TtqfTSUNBlYZ8CwQee47QK2Tj8cgREnLV2SbmZjzdsPp6ojN3obQ/RHbvFLEX1
X-Received: by 2002:a50:935a:: with SMTP id n26mr12163816eda.107.1595927609026;
        Tue, 28 Jul 2020 02:13:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595927609; cv=none;
        d=google.com; s=arc-20160816;
        b=E5b9w78VnheHpU0lLWTrRajOktiW6PujUtKWLLuUIwcpdZmWCsyrrprSWtxFZ6tsBf
         2kx8ECaMIQhwGIP6e6wnlE5d+qouxnAb81ivaZIOOhK5sKjSGmiJOFvowdyfKtgRyfnE
         gnP7e4VKsgotuwYI9+n7v3jJVUb3lKC7Vdz0rXq07XVoS8Y4eO43FTVeIkGwjBjj8oaR
         QUY+rNnYjfm3hDsU3zPGFqmRoE6cMngkOjYRLl+czk8xbZTuwCv5zvnMblw+OP/+nGRb
         uFJasvvcoFPR70jxzNG6ocBmVmW/7UzL9yMo4ylo7Z9OsLpWBOaScF/GaXpKjWHis5OZ
         h3Ig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version;
        bh=WT7Zi4dk3uocaOlLdmBjSWZGIYOqXv94RrYfcoiOqn4=;
        b=j3eHljJ3dZhpnrtqVHfZVOxqFuU1FQwsleL5P6m/xuWU2D6zPcyKelwPFTigPk+LqE
         DRYznaMX4BmEGzOQI8WdI/v3gEu2r1MKgcOvwx0uXWMorQ6iRxYO2JESYlmr6zocZ6s6
         AVy5SyrysNhwmvsHa43fBOBsPqsByzJ0CKHD4P9qjjZf8tPVeICa35j0ZtznafJjgc52
         UqhSsIAfgbR6xjKFKIe1eM9GlEJk1Cuh6rnFxF75gkthF67582o4dCCh0uZKqMAyXosP
         Imn1IL/gr5Pm0N6BN8D7TKVWYYZgG7E5ig5h/5bOwPCuRXJkc103Az++Pazwr5C90mny
         qO6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id by9si7101488edb.241.2020.07.28.02.13.01;
        Tue, 28 Jul 2020 02:13:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728390AbgG1JKj (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Tue, 28 Jul 2020 05:10:39 -0400
Received: from mout.kundenserver.de ([217.72.192.75]:50129 "EHLO
        mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727970AbgG1JKi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Jul 2020 05:10:38 -0400
Received: from mail-qk1-f182.google.com ([209.85.222.182]) by
 mrelayeu.kundenserver.de (mreue106 [212.227.15.145]) with ESMTPSA (Nemesis)
 id 1Mbj7g-1kVYFH1uRi-00dDxa for <linux-kernel@vger.kernel.org>; Tue, 28 Jul
 2020 11:10:37 +0200
Received: by mail-qk1-f182.google.com with SMTP id j187so17927360qke.11
        for <linux-kernel@vger.kernel.org>; Tue, 28 Jul 2020 02:10:37 -0700 (PDT)
X-Gm-Message-State: AOAM532QIUFAHTGiVuSvKnX3LhU6nx9e3o5NcAwWgxbo3HiPrxhsalGV
        A6W7zoieg/O5zYuE+aosLjM2qMjaIlfqEat4Bxw=
X-Received: by 2002:a37:385:: with SMTP id 127mr25310801qkd.3.1595927436336;
 Tue, 28 Jul 2020 02:10:36 -0700 (PDT)
MIME-Version: 1.0
References: <20200726220557.102300-1-yepeilin.cs@gmail.com>
 <20200726222703.102701-1-yepeilin.cs@gmail.com> <CAK8P3a3NB2BVo9fH-Wcinrhhs-QJ=9dK59Ds83TvgLmEkRy3qA@mail.gmail.com>
 <20200727131608.GD1913@kadam> <20200727223357.GA329006@PWN>
In-Reply-To: <20200727223357.GA329006@PWN>
From:   Arnd Bergmann <arnd@arndb.de>
Date:   Tue, 28 Jul 2020 11:10:20 +0200
X-Gmail-Original-Message-ID: <CAK8P3a1QZxPfLF3-jYzPGmHR_TOUfET+92x_L_K4Tkqf+v9bDA@mail.gmail.com>
Message-ID: <CAK8P3a1QZxPfLF3-jYzPGmHR_TOUfET+92x_L_K4Tkqf+v9bDA@mail.gmail.com>
Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix
 kernel-infoleak in video_put_user()
To:     Peilin Ye <yepeilin.cs@gmail.com>
Cc:     Dan Carpenter <dan.carpenter@oracle.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel-mentees@lists.linuxfoundation.org,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Provags-ID: V03:K1:Q3fT1idtTBmO7YatuFmYT9rv/IcfaRQT+rnlaCCHLp+Nm6pT4KX
 aaeS5KiB5CnfNKGuo3M2tyuBiKy0fzEAFbY+y//fPH3ZbHVxXuMmsPAzjTDjadfxW3a8sSc
 B7xuuW+AzHrOJLI0KUoDhChxEzRZM1QbvSVs94EjMUoTOnY6ymAAm0PxIZRAWoNREmgRUpW
 838E/TbPf1n42gLakehag==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:P/TFOYHB+HI=:XbBqJ+bfikp7nEBAATyyrY
 zP34tuMgYKxwKT9Ent4mJSJlU3G85REmYML9KzAWAeAtjLzULz6gc9AdhapsLIE+KGdWxc05F
 fJiYPwVVFypJbAuzOlJw8hLKW7B2Ac6CqMiaw+yN6/a+xQio7FvEmSaJwzyOFfp9CzDCKJVyT
 wu4vnZfBTmQtcOtMjWFHdV2+1GJvvd1HNrhle36j0wWIAYgmLHv+eUcQ8AfKvKbAI5j6OfKQl
 HGI98S95pV3z3K9Sb4U6LFAcMzbauno5LWROHg1lTiBKQUlyOLO54URhpnqAiFtdBIhrHB1um
 wRo/JbsTyCLyrcs1GFHF5yaR9OAsvcJ9bz4tfE34v/6HycAVGimacU/tgyc8BjG0GzTEHyBAn
 fsTaX6pkrJfxWiVq8hZtpauic7ClRT1z5gUhJpib5cKFozXWf9cuLICCI05IgP3oJU6CJ/0G7
 zI1Az8OXwCIYQb/Xya/cqDe90tehDU0AYK+2+Rw0VPGizqXvNK40det6tjxC6rUQzJx3aaTJ/
 LCbkb0ShxjocazPBvQ/oLDG3QO6a+szA+zHq19a9hDvuvWd8sPr+OL+bSrOLDcZSHk4I8Rcqe
 rHzjAOqeFGhYLxUsX2ik3d4yQFyJ7aav3jGVNuoGbBHealhZUDkn7tWXzEwKT+CYreheJpGxU
 oGn1RXR2khjWlDf6eOFScUqeRgVRR4a+Z882QtfMcEp7tTTmfWeyd9Zt6kK4m/wQ/J6jfeZVd
 xTwN+9jDIzLgDspYtZPtHbYehSH7S0pbwz/bCiEse/25HzVtgfisRCmeIChKa3haNMEedsy3c
 uAv8H3aG7JX7OAxaWtoWapJDRpZNd2ne7sLyzbCA3rZjfYaRolr4axs0xRcHb+gM1Ym80R9i+
 CNlQ2JdlwAuP/FDX+6k48K+m86y9kJpQszNZPTvdW8FI4uFFvm9RJSjtlF2bG1JAqdEnImuQj
 9jhYfknkFJKQEZLRO7w4u89I5cbPvh/dI0gN1V/Ep+CJDmQjiIp2W
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 28, 2020 at 12:34 AM Peilin Ye <yepeilin.cs@gmail.com> wrote:
>
> On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags')
>
> (Removed some Cc: recipients from the list.)
>
> I'm not very sure, but I think this one is also a false positive.
>
> Here Smatch is complaining about a linked list called `my_raw_cmd`
> defined in raw_cmd_ioctl():
>
> drivers/block/floppy.c:3249:
>
>         ret = raw_cmd_copyin(cmd, param, &my_raw_cmd);
>
> In raw_cmd_copyin(), each element of the linked list is allocated by
> kmalloc() then copied from user:
>
> drivers/block/floppy.c:3180:
>
> loop:
>         ptr = kmalloc(sizeof(struct floppy_raw_cmd), GFP_KERNEL);
>               ^^^^^^^
>         if (!ptr)
>                 return -ENOMEM;
>         *rcmd = ptr;
>         ret = copy_from_user(ptr, param, sizeof(*ptr));
>               ^^^^^^^^^^^^^^
>
> I think copy_from_user() is filling in the paddings inside `struct
> floppy_raw_cmd`?

I am not completely sure about this one either. copy_from_user()
would indeed fill the pad bytes in the structure, but there is another
problem:

                struct floppy_raw_cmd cmd = *ptr;
                cmd.next = NULL;
                cmd.kernel_data = NULL;
                ret = copy_to_user(param, &cmd, sizeof(cmd));

IIRC the struct assignment is allowed to be done per member
and skip the padding, so the on-stack copy can then again
contain a data leak. The compiler is likely to turn a struct
assignment into a memcpy(), but as the code then goes on
to set two members individually, I suppose doing a per-member
copy would not be unreasonable behavior either and doing
a memcpy() instead of an assignment would be the safe
choice.

If someone has a clearer understanding of what the compiler
is actually allowed to do here, please let us know.

       Arnd