Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp292575ybg; Tue, 28 Jul 2020 06:16:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJ7qB2dZPQZCJavkZLW0/DtTrvqHFM38YcaKbsaoG2LbP8qsMZ6zV0JTneM6qzMN2dECJ5 X-Received: by 2002:a17:906:d187:: with SMTP id c7mr1475586ejz.196.1595942209634; Tue, 28 Jul 2020 06:16:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595942209; cv=none; d=google.com; s=arc-20160816; b=PRPF3DkEWVFYZyzKA1tzbz6KGVoPMN1EbJCe5YarTCO9ObdyfOIE9nT6cHN7z0ZsvL qK68R4fPjDI8n9ZkcPBhV34ozDMVbxpqe2kv4tMjjz3pMDhKVTEAvJ+2IC/iCb89tQ4e nWvGXqQ5CSFI/8MPQO7wWGdt8RlhVzOvkqKLzWGONrVUG14EBEpKXA9Ys3/2w1ndYf2n 0Evk+6bHgrg0LudGwbXbI46MXaje1GpBXC9+QerTH+nxJNeV9/SNbE+h8nSfrKxhDJiu oiM6fCnBGC9zSvyDMBh5r5rMwYFJwYY6TDRcSmQqDZTzDTx7BcEvxKfCbFabT9GKsXPi CD1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=wVQ4PCIk/Mi+M+QeA/Wca4Cre04s8hgp15ZLx5XfDZg=; b=ySs8VsxcKnlYCsUELLIR+bZphI6VXlmN4hV6uUWOZgBC3m3np+KDNKXYhSn34vHJF9 UV6lSni8y/e64E9TRcaOlgMK/KYUZOJYhX5juYk8d7HRRjz6HTigEKzBK2h8w+D8b6fC HLQ1IxZQWUd93e4GkcRNqNZ2Z0tIy4BmMZTLA8tzg0FAuqmZNIZu3ECjVSOuEQdV5ihB XGmCATN7myskdhwCtI8eJHMwX2WDg1YHUZEPPM7Et1CpTc/+s2YB3yLzVe1VkwNBbwiu /G8vP9EUc0PsLBfdI/K/4FwK+hOLIWvQIs01qgRnpRRn9nGJ/lgwFKjhuTTU0d1KfD13 ZFtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pL1VEAIF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v5si2761186edi.437.2020.07.28.06.16.27; Tue, 28 Jul 2020 06:16:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=pL1VEAIF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729980AbgG1NNe (ORCPT + 99 others); Tue, 28 Jul 2020 09:13:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729688AbgG1NNd (ORCPT ); Tue, 28 Jul 2020 09:13:33 -0400 Received: from mail-qv1-xf41.google.com (mail-qv1-xf41.google.com [IPv6:2607:f8b0:4864:20::f41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3AC99C061794 for ; Tue, 28 Jul 2020 06:13:33 -0700 (PDT) Received: by mail-qv1-xf41.google.com with SMTP id m9so9059669qvx.5 for ; Tue, 28 Jul 2020 06:13:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=wVQ4PCIk/Mi+M+QeA/Wca4Cre04s8hgp15ZLx5XfDZg=; b=pL1VEAIFMSgD3WD2ciXOwyWiQoTMEvG6XL7SyqSWpiABvpcc2rO2EdXKjFV8xD1lYg GNa/yBNZnQO2TMGeoptsApl90kDiJxOFe560qW2avPXvLhtuSxr6PM56HqH/D2yTpR4W A9lumU99tKynCllpYhOZmqFC/txXwd22MAwmMG97kVlSetVIujR6IJvngw3jd54H5N5u DB+ALBuED2jut236BveYoqI8QiicwZetSaW70xlO3Gd0FhzHhQ3tIJHNkYtNKHtniOYR O808Xsd7dyg9KQZUtMVz2awkTt7J0OHzoTs0lTRBcG6LVGKz+tvke6GYErsCZHpsZ4ia JT5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=wVQ4PCIk/Mi+M+QeA/Wca4Cre04s8hgp15ZLx5XfDZg=; b=BNr8rc3HiXfyYparY9BZ/p5mYjcUPMaXvHDA/yt57VldBx5HaO1cSO8DmPLVCl9IsG S4wpD5vSAAjKIthOKsqEeWY77jFNBgxODBjE5BTSvkUzL4DivmihxCbcM3ffGxxWlUyd 1JsIjJXDRucCoiaBUqiM6/+5pm+EMUWHAb3mhr5Lzsq/TfiUxutO1xTluy6z7f6T4JEV CpyyJ31zBq0nBnnHg1xevK6LkaabKi4ITi8yNXGZm2enw5OqvhBgAyb0L/FhikIGGpm3 b1qK1O7M9vpZ+GOhrMaSe5FE9N4mi/fXPpvoE5ZyuEihJzUVJV2LmQn4TWomdtL8ZDuQ E6wQ== X-Gm-Message-State: AOAM532aNc7ypClzGBiBCwB2duK+KuzwotM9jMqwLSbC7W8QdfU+cOQy +jtWa5QaDqfTllLBGuX0ligVrBCJIw== X-Received: by 2002:ad4:5912:: with SMTP id ez18mr25898937qvb.24.1595942011649; Tue, 28 Jul 2020 06:13:31 -0700 (PDT) Received: from PWN (c-76-119-149-155.hsd1.ma.comcast.net. [76.119.149.155]) by smtp.gmail.com with ESMTPSA id 65sm18057540qkn.103.2020.07.28.06.13.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jul 2020 06:13:31 -0700 (PDT) Date: Tue, 28 Jul 2020 09:13:28 -0400 From: Peilin Ye To: Dan Carpenter Cc: Arnd Bergmann , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, "linux-kernel@vger.kernel.org" Subject: Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user() Message-ID: <20200728131328.GA410244@PWN> References: <20200726220557.102300-1-yepeilin.cs@gmail.com> <20200726222703.102701-1-yepeilin.cs@gmail.com> <20200727131608.GD1913@kadam> <20200727223357.GA329006@PWN> <20200728094707.GF2571@kadam> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200728094707.GF2571@kadam> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 28, 2020 at 12:47:07PM +0300, Dan Carpenter wrote: > On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote: > > On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote: > > > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' doesn't leak information (struct has a hole after 'flags') > > > > (Removed some Cc: recipients from the list.) > > > > I'm not very sure, but I think this one is also a false positive. > > No, it's a potential bug. You're over thinking what Smatch is > complaining about. Arnd is right. > > 3123 static int raw_cmd_copyout(int cmd, void __user *param, > 3124 struct floppy_raw_cmd *ptr) > 3125 { > 3126 int ret; > 3127 > 3128 while (ptr) { > 3129 struct floppy_raw_cmd cmd = *ptr; > ^^^^^^^^^^ > The compiler can either do this assignment as an memcpy() or as a > series of struct member assignments. So the assignment can leave the > struct hole uninitialized. I see, I didn't realize this line could cause the issue. Thank you for pointing this out, I will do this then send a patch: diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 09079aee8dc4..398c261fd174 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3126,7 +3126,8 @@ static int raw_cmd_copyout(int cmd, void __user *param, int ret; while (ptr) { - struct floppy_raw_cmd cmd = *ptr; + struct floppy_raw_cmd cmd; + memcpy(&cmd, ptr, sizeof(cmd)); cmd.next = NULL; cmd.kernel_data = NULL; ret = copy_to_user(param, &cmd, sizeof(cmd)); Thank you, Peilin Ye > 3130 cmd.next = NULL; > 3131 cmd.kernel_data = NULL; > 3132 ret = copy_to_user(param, &cmd, sizeof(cmd)); > ^^^^ > potential info leak. > > 3133 if (ret) > 3134 return -EFAULT; > 3135 param += sizeof(struct floppy_raw_cmd); > 3136 if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) { > 3137 if (ptr->length >= 0 && > 3138 ptr->length <= ptr->buffer_length) { > 3139 long length = ptr->buffer_length - ptr->length; > 3140 ret = fd_copyout(ptr->data, ptr->kernel_data, > 3141 length); > 3142 if (ret) > 3143 return ret; > 3144 } > 3145 } > 3146 ptr = ptr->next; > 3147 } > 3148 > 3149 return 0; > 3150 } > > regards, > dan carpenter