Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp569550ybg; Tue, 28 Jul 2020 13:03:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwaMTzAXCAe3i3+7pKJd+KfvmcGNJ2QVIqSdY/C6XJEFy2KUaR9SGNkNcTh+6rBRN09AR7e X-Received: by 2002:a17:906:3984:: with SMTP id h4mr28583320eje.254.1595966638593; Tue, 28 Jul 2020 13:03:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595966638; cv=none; d=google.com; s=arc-20160816; b=dWJ0NAC1I/SzeFyymVGffDVSQTyIcw7jFv1Pqt1af+f+ZrdfUT6W8AcObjTCj8eXsS gGb8DXwh1lmRIewU/O/zuG+QIpTtpu+CW+qqtf671ds9uAAg7f9g46nRmO8NHXkyA3aq FRvv80K6UbWLx1OLsjVHVwZ0V9XJ0HClGEHnnBrDNyH1eWGR51L61P2PjsYBKiTPv8g/ ju+b4VwL+k5FDb6U/asqN9OP4Lnxj76E5ZOa9zTlHxzg8j8NtkABmi54c/24sTirnm8p icsgzdDKvsro0MtXNOhiRQ/REFyhu2kff4rT0wCUHEhXC3jYmH8TzJT5eqpBjchmWeoW APZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=UjriuwUrFe3JnfpGcdrsyLfiemXOEMJgHirDygAb170=; b=xXOyQIGJ3/kgn7QLaVlbJGACCK+rbRQQfcdxr1J04c3W8kwwareh2Eow9K+iQf7/iu QlI5ED0z7KuurNRPQYTQcbI6seiE+XNE8MILiuzz9aJcoqHLgRpQNeF8nk50Ma8wzQwf aU1Y+vSA+Oe6Oubo3777LI5H38SvHhBsr7//RSmSBDNrHRYE6vgSisWUS6Cm7lSCPQ+v 4BsgIF4o3JsKnDJtLlt99I9TJm7nYHSQIEJDIUk+VeL1MBIRfbvM+RHmWWzfxCCYCKSl yvhi69mXzYL4uQOWjHiqyLIfo5/Nz1p+KRe6cwQyWZnvgPM9CBfNQ38ZoI/4G75IbC3k k4xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DnBLXKs2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ch10si5352037edb.28.2020.07.28.13.03.35; Tue, 28 Jul 2020 13:03:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=DnBLXKs2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732814AbgG1Tbf (ORCPT + 99 others); Tue, 28 Jul 2020 15:31:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54210 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732685AbgG1Tbe (ORCPT ); Tue, 28 Jul 2020 15:31:34 -0400 Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74D06C061794 for ; Tue, 28 Jul 2020 12:31:34 -0700 (PDT) Received: by mail-qt1-x843.google.com with SMTP id o22so15529881qtt.13 for ; Tue, 28 Jul 2020 12:31:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UjriuwUrFe3JnfpGcdrsyLfiemXOEMJgHirDygAb170=; b=DnBLXKs29zvI1lqMHtzOQmUYICRL0HV7SdVxAYUWpDzp+OeQNWAsihxrWRmrLqx5hw V/mz4yk8dR+/HiOKLkukQF+iH/1wV+lXCEU5IpLdFR+Nr4KvMDIOV4IpAaa4Sc1a6cI5 uEZO4sFf0YAiOi8NlYlVXqof05YNkMYlNhcHzOKDtCcZgqKaN6JLihS+FXwhlVssJ5nC ZFXXkrQW6Ck691VYbNY77aXTTJSUE5cW+/D4gUKH18Q3ilU7/qdTfRP2V7nhHjvdKcId H4TbmeefL4EYTkjGeTSy9mhEGEPi9HlVpoHAxyxY/VcwiFn4Ff4lVcQlgQoqlJlIfzS/ UcDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UjriuwUrFe3JnfpGcdrsyLfiemXOEMJgHirDygAb170=; b=NEr5ukZ+4QYwBvyBHOa9oLNo37Ui2EnKS2tquI0cTuBQtSmmQBI/yPh0UVTGe0Kc0S MeqYPIEVLB3AkIFnst+E90eMgi0ZNTv6BoEQ549FUexLdUfLRJT8H2FUS1MCrZidMuyU u/uBl64humFVm6TgZQs1aST7Wd/WEIZ32rv3Zo9xJxecQD1DS3Zkjj/d4urvVCtpLj/X zVmzQr+Al5KHKbwRghnBYcHWN4mBqqcqfTiSvO9LL+9b503CkNJ2q0YqDGyYlv7IbwcM DoHxoueXZjHjKyBMmgle8ofGaTiEdtDejiTC+41BlpaYOQOkTyKqUmr5RtEVg7iYSuf5 bsYQ== X-Gm-Message-State: AOAM532q7Vt6ydMzlBOYJg06sMrfzm0QvY/lQbulOlqVXLmqQta9xh+Z QMmdtYolAgklK89HzJpiCQ== X-Received: by 2002:ac8:6f4a:: with SMTP id n10mr24304675qtv.363.1595964693541; Tue, 28 Jul 2020 12:31:33 -0700 (PDT) Received: from localhost.localdomain (c-76-119-149-155.hsd1.ma.comcast.net. [76.119.149.155]) by smtp.gmail.com with ESMTPSA id k48sm21410544qtc.14.2020.07.28.12.31.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jul 2020 12:31:33 -0700 (PDT) From: Peilin Ye To: Alex Deucher , =?UTF-8?q?Christian=20K=C3=B6nig?= , David Airlie , Daniel Vetter Cc: Peilin Ye , Dan Carpenter , Arnd Bergmann , Greg Kroah-Hartman , Evan Quan , Felix Kuehling , Xiaojie Yuan , =?UTF-8?q?Marek=20Ol=C5=A1=C3=A1k?= , Trek , Leo Liu , Thomas Zimmermann , Nicholas Kazlauskas , Hans de Goede , linux-kernel-mentees@lists.linuxfoundation.org, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Date: Tue, 28 Jul 2020 15:29:24 -0400 Message-Id: <20200728192924.441570-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Compiler leaves a 4-byte hole near the end of `dev_info`, causing amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace when `size` is greater than 356. In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which unfortunately does not initialize that 4-byte hole. Fix it by using memset() instead. Cc: stable@vger.kernel.org Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Suggested-by: Dan Carpenter Signed-off-by: Peilin Ye --- $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o struct drm_amdgpu_info_device { __u32 device_id; /* 0 4 */ __u32 chip_rev; /* 4 4 */ __u32 external_rev; /* 8 4 */ __u32 pci_rev; /* 12 4 */ __u32 family; /* 16 4 */ __u32 num_shader_engines; /* 20 4 */ __u32 num_shader_arrays_per_engine; /* 24 4 */ __u32 gpu_counter_freq; /* 28 4 */ __u64 max_engine_clock; /* 32 8 */ __u64 max_memory_clock; /* 40 8 */ __u32 cu_active_number; /* 48 4 */ __u32 cu_ao_mask; /* 52 4 */ __u32 cu_bitmap[4][4]; /* 56 64 */ /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */ __u32 enabled_rb_pipes_mask; /* 120 4 */ __u32 num_rb_pipes; /* 124 4 */ /* --- cacheline 2 boundary (128 bytes) --- */ __u32 num_hw_gfx_contexts; /* 128 4 */ __u32 _pad; /* 132 4 */ __u64 ids_flags; /* 136 8 */ __u64 virtual_address_offset; /* 144 8 */ __u64 virtual_address_max; /* 152 8 */ __u32 virtual_address_alignment; /* 160 4 */ __u32 pte_fragment_size; /* 164 4 */ __u32 gart_page_size; /* 168 4 */ __u32 ce_ram_size; /* 172 4 */ __u32 vram_type; /* 176 4 */ __u32 vram_bit_width; /* 180 4 */ __u32 vce_harvest_config; /* 184 4 */ __u32 gc_double_offchip_lds_buf; /* 188 4 */ /* --- cacheline 3 boundary (192 bytes) --- */ __u64 prim_buf_gpu_addr; /* 192 8 */ __u64 pos_buf_gpu_addr; /* 200 8 */ __u64 cntl_sb_buf_gpu_addr; /* 208 8 */ __u64 param_buf_gpu_addr; /* 216 8 */ __u32 prim_buf_size; /* 224 4 */ __u32 pos_buf_size; /* 228 4 */ __u32 cntl_sb_buf_size; /* 232 4 */ __u32 param_buf_size; /* 236 4 */ __u32 wave_front_size; /* 240 4 */ __u32 num_shader_visible_vgprs; /* 244 4 */ __u32 num_cu_per_sh; /* 248 4 */ __u32 num_tcc_blocks; /* 252 4 */ /* --- cacheline 4 boundary (256 bytes) --- */ __u32 gs_vgt_table_depth; /* 256 4 */ __u32 gs_prim_buffer_depth; /* 260 4 */ __u32 max_gs_waves_per_vgt; /* 264 4 */ __u32 _pad1; /* 268 4 */ __u32 cu_ao_bitmap[4][4]; /* 272 64 */ /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */ __u64 high_va_offset; /* 336 8 */ __u64 high_va_max; /* 344 8 */ __u32 pa_sc_tile_steering_override; /* 352 4 */ /* XXX 4 bytes hole, try to pack */ __u64 tcc_disabled_mask; /* 360 8 */ /* size: 368, cachelines: 6, members: 49 */ /* sum members: 364, holes: 1, sum holes: 4 */ /* last cacheline: 48 bytes */ }; drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c index a8c47aecd342..0047da06041f 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file return n ? -EFAULT : 0; } case AMDGPU_INFO_DEV_INFO: { - struct drm_amdgpu_info_device dev_info = {}; + struct drm_amdgpu_info_device dev_info; uint64_t vm_size; + memset(&dev_info, 0, sizeof(dev_info)); dev_info.device_id = dev->pdev->device; dev_info.chip_rev = adev->rev_id; dev_info.external_rev = adev->external_rev_id; -- 2.25.1