Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp146989ybg; Tue, 28 Jul 2020 02:13:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzuIndsd1TtqfTSUNBlYZ8CwQee47QK2Tj8cgREnLV2SbmZjzdsPp6ojN3obQ/RHbvFLEX1 X-Received: by 2002:a50:935a:: with SMTP id n26mr12163816eda.107.1595927609026; Tue, 28 Jul 2020 02:13:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595927609; cv=none; d=google.com; s=arc-20160816; b=E5b9w78VnheHpU0lLWTrRajOktiW6PujUtKWLLuUIwcpdZmWCsyrrprSWtxFZ6tsBf 2kx8ECaMIQhwGIP6e6wnlE5d+qouxnAb81ivaZIOOhK5sKjSGmiJOFvowdyfKtgRyfnE gnP7e4VKsgotuwYI9+n7v3jJVUb3lKC7Vdz0rXq07XVoS8Y4eO43FTVeIkGwjBjj8oaR QUY+rNnYjfm3hDsU3zPGFqmRoE6cMngkOjYRLl+czk8xbZTuwCv5zvnMblw+OP/+nGRb uFJasvvcoFPR70jxzNG6ocBmVmW/7UzL9yMo4ylo7Z9OsLpWBOaScF/GaXpKjWHis5OZ h3Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=WT7Zi4dk3uocaOlLdmBjSWZGIYOqXv94RrYfcoiOqn4=; b=j3eHljJ3dZhpnrtqVHfZVOxqFuU1FQwsleL5P6m/xuWU2D6zPcyKelwPFTigPk+LqE DRYznaMX4BmEGzOQI8WdI/v3gEu2r1MKgcOvwx0uXWMorQ6iRxYO2JESYlmr6zocZ6s6 AVy5SyrysNhwmvsHa43fBOBsPqsByzJ0CKHD4P9qjjZf8tPVeICa35j0ZtznafJjgc52 UqhSsIAfgbR6xjKFKIe1eM9GlEJk1Cuh6rnFxF75gkthF67582o4dCCh0uZKqMAyXosP Imn1IL/gr5Pm0N6BN8D7TKVWYYZgG7E5ig5h/5bOwPCuRXJkc103Az++Pazwr5C90mny qO6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id by9si7101488edb.241.2020.07.28.02.13.01; Tue, 28 Jul 2020 02:13:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728390AbgG1JKj (ORCPT + 99 others); Tue, 28 Jul 2020 05:10:39 -0400 Received: from mout.kundenserver.de ([217.72.192.75]:50129 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727970AbgG1JKi (ORCPT ); Tue, 28 Jul 2020 05:10:38 -0400 Received: from mail-qk1-f182.google.com ([209.85.222.182]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.145]) with ESMTPSA (Nemesis) id 1Mbj7g-1kVYFH1uRi-00dDxa for ; Tue, 28 Jul 2020 11:10:37 +0200 Received: by mail-qk1-f182.google.com with SMTP id j187so17927360qke.11 for ; Tue, 28 Jul 2020 02:10:37 -0700 (PDT) X-Gm-Message-State: AOAM532QIUFAHTGiVuSvKnX3LhU6nx9e3o5NcAwWgxbo3HiPrxhsalGV A6W7zoieg/O5zYuE+aosLjM2qMjaIlfqEat4Bxw= X-Received: by 2002:a37:385:: with SMTP id 127mr25310801qkd.3.1595927436336; Tue, 28 Jul 2020 02:10:36 -0700 (PDT) MIME-Version: 1.0 References: <20200726220557.102300-1-yepeilin.cs@gmail.com> <20200726222703.102701-1-yepeilin.cs@gmail.com> <20200727131608.GD1913@kadam> <20200727223357.GA329006@PWN> In-Reply-To: <20200727223357.GA329006@PWN> From: Arnd Bergmann Date: Tue, 28 Jul 2020 11:10:20 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user() To: Peilin Ye Cc: Dan Carpenter , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:Q3fT1idtTBmO7YatuFmYT9rv/IcfaRQT+rnlaCCHLp+Nm6pT4KX aaeS5KiB5CnfNKGuo3M2tyuBiKy0fzEAFbY+y//fPH3ZbHVxXuMmsPAzjTDjadfxW3a8sSc B7xuuW+AzHrOJLI0KUoDhChxEzRZM1QbvSVs94EjMUoTOnY6ymAAm0PxIZRAWoNREmgRUpW 838E/TbPf1n42gLakehag== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:P/TFOYHB+HI=:XbBqJ+bfikp7nEBAATyyrY zP34tuMgYKxwKT9Ent4mJSJlU3G85REmYML9KzAWAeAtjLzULz6gc9AdhapsLIE+KGdWxc05F fJiYPwVVFypJbAuzOlJw8hLKW7B2Ac6CqMiaw+yN6/a+xQio7FvEmSaJwzyOFfp9CzDCKJVyT wu4vnZfBTmQtcOtMjWFHdV2+1GJvvd1HNrhle36j0wWIAYgmLHv+eUcQ8AfKvKbAI5j6OfKQl HGI98S95pV3z3K9Sb4U6LFAcMzbauno5LWROHg1lTiBKQUlyOLO54URhpnqAiFtdBIhrHB1um wRo/JbsTyCLyrcs1GFHF5yaR9OAsvcJ9bz4tfE34v/6HycAVGimacU/tgyc8BjG0GzTEHyBAn fsTaX6pkrJfxWiVq8hZtpauic7ClRT1z5gUhJpib5cKFozXWf9cuLICCI05IgP3oJU6CJ/0G7 zI1Az8OXwCIYQb/Xya/cqDe90tehDU0AYK+2+Rw0VPGizqXvNK40det6tjxC6rUQzJx3aaTJ/ LCbkb0ShxjocazPBvQ/oLDG3QO6a+szA+zHq19a9hDvuvWd8sPr+OL+bSrOLDcZSHk4I8Rcqe rHzjAOqeFGhYLxUsX2ik3d4yQFyJ7aav3jGVNuoGbBHealhZUDkn7tWXzEwKT+CYreheJpGxU oGn1RXR2khjWlDf6eOFScUqeRgVRR4a+Z882QtfMcEp7tTTmfWeyd9Zt6kK4m/wQ/J6jfeZVd xTwN+9jDIzLgDspYtZPtHbYehSH7S0pbwz/bCiEse/25HzVtgfisRCmeIChKa3haNMEedsy3c uAv8H3aG7JX7OAxaWtoWapJDRpZNd2ne7sLyzbCA3rZjfYaRolr4axs0xRcHb+gM1Ym80R9i+ CNlQ2JdlwAuP/FDX+6k48K+m86y9kJpQszNZPTvdW8FI4uFFvm9RJSjtlF2bG1JAqdEnImuQj 9jhYfknkFJKQEZLRO7w4u89I5cbPvh/dI0gN1V/Ep+CJDmQjiIp2W Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 28, 2020 at 12:34 AM Peilin Ye wrote: > > On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote: > > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags') > > (Removed some Cc: recipients from the list.) > > I'm not very sure, but I think this one is also a false positive. > > Here Smatch is complaining about a linked list called `my_raw_cmd` > defined in raw_cmd_ioctl(): > > drivers/block/floppy.c:3249: > > ret = raw_cmd_copyin(cmd, param, &my_raw_cmd); > > In raw_cmd_copyin(), each element of the linked list is allocated by > kmalloc() then copied from user: > > drivers/block/floppy.c:3180: > > loop: > ptr = kmalloc(sizeof(struct floppy_raw_cmd), GFP_KERNEL); > ^^^^^^^ > if (!ptr) > return -ENOMEM; > *rcmd = ptr; > ret = copy_from_user(ptr, param, sizeof(*ptr)); > ^^^^^^^^^^^^^^ > > I think copy_from_user() is filling in the paddings inside `struct > floppy_raw_cmd`? I am not completely sure about this one either. copy_from_user() would indeed fill the pad bytes in the structure, but there is another problem: struct floppy_raw_cmd cmd = *ptr; cmd.next = NULL; cmd.kernel_data = NULL; ret = copy_to_user(param, &cmd, sizeof(cmd)); IIRC the struct assignment is allowed to be done per member and skip the padding, so the on-stack copy can then again contain a data leak. The compiler is likely to turn a struct assignment into a memcpy(), but as the code then goes on to set two members individually, I suppose doing a per-member copy would not be unreasonable behavior either and doing a memcpy() instead of an assignment would be the safe choice. If someone has a clearer understanding of what the compiler is actually allowed to do here, please let us know. Arnd