Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp932248ybg; Wed, 29 Jul 2020 01:12:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZmW39VfW60VcXC6wBCBJBT6ebgwkKgc5xgjZdQ907sObH1EmSsHfK5ktWohT6CATPM9Xd X-Received: by 2002:a17:907:100f:: with SMTP id ox15mr16447092ejb.323.1596010339883; Wed, 29 Jul 2020 01:12:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596010339; cv=none; d=google.com; s=arc-20160816; b=sifvyGVW+2ZAGSo21ZOR8xAAXiUyPtaWXWOBQt7ZElPF4B/PTOeCmonoLj+IOUb+Oj 6cY8fJckcuijVyWK8vNJ5kDd0Zrmyn/5bkUENeYYIUryupA0zcSi70Sda299Ytzuydmz 6vwUFF/ZE8P7jk8M3F1YVUo0aDaJx95Tx4iOQqCkt06IxdgwiccSeyOAAjaq2sGAzyyB n8rN4xHS/XunlIrzTNj1CEk5Wgf23PPxqBJeE93TZ7p8BEtGFZBSn4lmcYMKWUaAx18j iYbLu3KSk4gCyVnb8TGQJKX8URjARQIb11O2DgmS6Rlw6FTdRRA3eHHKc+D/z5MpEFD7 tfMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:reply-to:dkim-signature; bh=/t5pNySee6OqbzQZAWjwnDIE2zX5dn9rOcmBRRLPlS8=; b=bV2g8ML6fZvM9u2rzTzPujPJYh8aZaZQDJSufyXwlPa8HViBIK/ilnHrUukfrqa/+i 10I9RfwOgGnAvQYqrR0BeN0/4xmdu+9TwD/Abdjbwm8zIehTxI4Ly0UYpmwz84twhVTH 07/gz0L0xC5PqZC6jzmTM0ip95bnENOTCLLR1Ksu6KCJ0F+MkZQz6MUkkzDmDSCawhfG YXaeKGVvXms05Rgbuq9uZMw3zh7HkCS1B7ZR/aOT7qbu9UqPQEXftKXADkCE2jSKanN9 RD2BpU0af+GrRPC2K5xla5TvBMwC+JVzQq3LXrwlRXVhL1gSRIvQ1DzJ4LxYSrXmqp8+ xUvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=J4uqbyW3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b24si658574eje.471.2020.07.29.01.11.56; Wed, 29 Jul 2020 01:12:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=J4uqbyW3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727876AbgG2ILS (ORCPT + 99 others); Wed, 29 Jul 2020 04:11:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726476AbgG2ILR (ORCPT ); Wed, 29 Jul 2020 04:11:17 -0400 Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94B89C061794 for ; Wed, 29 Jul 2020 01:11:17 -0700 (PDT) Received: by mail-ej1-x644.google.com with SMTP id qc22so8587949ejb.4 for ; Wed, 29 Jul 2020 01:11:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=reply-to:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=/t5pNySee6OqbzQZAWjwnDIE2zX5dn9rOcmBRRLPlS8=; b=J4uqbyW3DPYAUqprlCh0mjjkrOfnI1IdYmwCrBeG2W65C0YQh0YigGyEcTMv9TDaop 8+QysujUGb0/8unyd0iqLKEwEdc946YOUxRiSlm+RU1Ju8vBvRUSPN8is8QDCRFOQx0E SrNfNRy2JCfDMO8HUm6w/dPrM/FCBnhiGt2SpsQmanyif6KVet48HHt2I/wtjtHg07PB MUhZCuQoOZjS8OxmXiOwvfKOwxIEWCGnNRk+cgVlTVcyQ+VqfXZ1t0757ByUglvRoyIo gf//kssY6kJxGZ8ArKMzAwR1m2pPRFra3X1mxkjgLJKRwhmPPHIk8xtAbCIX5cB1L0U8 lW0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:subject:to:cc:references:from :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding:content-language; bh=/t5pNySee6OqbzQZAWjwnDIE2zX5dn9rOcmBRRLPlS8=; b=eJx8EDy29T7lTgVgJzcmpNnaJNSqHoiVK2lgsw5rO8viqCzwsH2pd3bTZ4AoaM0SDh 4YxPrHDfJeLTptYHQv4dxNf/TF7MzTp4189lYfqXiJ7LM1iW/Etfmy3HZu4FY/kR4wQY xQ0V4eFS6i00dF2p4VrKdnInZF0R3072hLEC9OvoK7mVBphQthFWh6j+01VevC9l1jlA R7P05xvHjHGB8J0A7QMztbQyLZEwFTKy9sSO82zBDdb7RfBpGw4EGxHPD0pWcywhkpj6 01x6PcSeK2IZLbyhgrVJ1USMbQPSlqRL3U438b68ya8EEDEMnqLLHU6JM35CzHv7wkEb wtGg== X-Gm-Message-State: AOAM533yPgtrwMsPH00gDVBskZpg4g3Sjpp+VE87w+hyeDWflFnoQRFe 2xugpFSRwlf3jrbMrYKm6+Q= X-Received: by 2002:a17:906:a253:: with SMTP id bi19mr28201798ejb.338.1596010276279; Wed, 29 Jul 2020 01:11:16 -0700 (PDT) Received: from ?IPv6:2a02:908:1252:fb60:be8a:bd56:1f94:86e7? ([2a02:908:1252:fb60:be8a:bd56:1f94:86e7]) by smtp.gmail.com with ESMTPSA id v2sm1166890edb.95.2020.07.29.01.11.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jul 2020 01:11:15 -0700 (PDT) Reply-To: christian.koenig@amd.com Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() To: Peilin Ye , Alex Deucher , =?UTF-8?Q?Christian_K=c3=b6nig?= , David Airlie , Daniel Vetter Cc: Arnd Bergmann , Greg Kroah-Hartman , Felix Kuehling , linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Nicholas Kazlauskas , =?UTF-8?B?TWFyZWsgT2zFocOhaw==?= , Hans de Goede , linux-kernel-mentees@lists.linuxfoundation.org, Trek , dri-devel@lists.freedesktop.org, Thomas Zimmermann , Evan Quan , Leo Liu , Dan Carpenter , Xiaojie Yuan References: <20200728192924.441570-1-yepeilin.cs@gmail.com> From: =?UTF-8?Q?Christian_K=c3=b6nig?= Message-ID: <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> Date: Wed, 29 Jul 2020 10:11:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <20200728192924.441570-1-yepeilin.cs@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am 28.07.20 um 21:29 schrieb Peilin Ye: > Compiler leaves a 4-byte hole near the end of `dev_info`, causing > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace > when `size` is greater than 356. > > In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which > unfortunately does not initialize that 4-byte hole. Fix it by using > memset() instead. > > Cc: stable@vger.kernel.org > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > Suggested-by: Dan Carpenter > Signed-off-by: Peilin Ye Reviewed-by: Christian König I can't count how many of those we have fixed over the years. At some point we should probably document that using "= {}" or "= { 0 }" in the kernel is a really bad idea and should be avoided. Thanks, Christian. > --- > $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_kms.o > struct drm_amdgpu_info_device { > __u32 device_id; /* 0 4 */ > __u32 chip_rev; /* 4 4 */ > __u32 external_rev; /* 8 4 */ > __u32 pci_rev; /* 12 4 */ > __u32 family; /* 16 4 */ > __u32 num_shader_engines; /* 20 4 */ > __u32 num_shader_arrays_per_engine; /* 24 4 */ > __u32 gpu_counter_freq; /* 28 4 */ > __u64 max_engine_clock; /* 32 8 */ > __u64 max_memory_clock; /* 40 8 */ > __u32 cu_active_number; /* 48 4 */ > __u32 cu_ao_mask; /* 52 4 */ > __u32 cu_bitmap[4][4]; /* 56 64 */ > /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */ > __u32 enabled_rb_pipes_mask; /* 120 4 */ > __u32 num_rb_pipes; /* 124 4 */ > /* --- cacheline 2 boundary (128 bytes) --- */ > __u32 num_hw_gfx_contexts; /* 128 4 */ > __u32 _pad; /* 132 4 */ > __u64 ids_flags; /* 136 8 */ > __u64 virtual_address_offset; /* 144 8 */ > __u64 virtual_address_max; /* 152 8 */ > __u32 virtual_address_alignment; /* 160 4 */ > __u32 pte_fragment_size; /* 164 4 */ > __u32 gart_page_size; /* 168 4 */ > __u32 ce_ram_size; /* 172 4 */ > __u32 vram_type; /* 176 4 */ > __u32 vram_bit_width; /* 180 4 */ > __u32 vce_harvest_config; /* 184 4 */ > __u32 gc_double_offchip_lds_buf; /* 188 4 */ > /* --- cacheline 3 boundary (192 bytes) --- */ > __u64 prim_buf_gpu_addr; /* 192 8 */ > __u64 pos_buf_gpu_addr; /* 200 8 */ > __u64 cntl_sb_buf_gpu_addr; /* 208 8 */ > __u64 param_buf_gpu_addr; /* 216 8 */ > __u32 prim_buf_size; /* 224 4 */ > __u32 pos_buf_size; /* 228 4 */ > __u32 cntl_sb_buf_size; /* 232 4 */ > __u32 param_buf_size; /* 236 4 */ > __u32 wave_front_size; /* 240 4 */ > __u32 num_shader_visible_vgprs; /* 244 4 */ > __u32 num_cu_per_sh; /* 248 4 */ > __u32 num_tcc_blocks; /* 252 4 */ > /* --- cacheline 4 boundary (256 bytes) --- */ > __u32 gs_vgt_table_depth; /* 256 4 */ > __u32 gs_prim_buffer_depth; /* 260 4 */ > __u32 max_gs_waves_per_vgt; /* 264 4 */ > __u32 _pad1; /* 268 4 */ > __u32 cu_ao_bitmap[4][4]; /* 272 64 */ > /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */ > __u64 high_va_offset; /* 336 8 */ > __u64 high_va_max; /* 344 8 */ > __u32 pa_sc_tile_steering_override; /* 352 4 */ > > /* XXX 4 bytes hole, try to pack */ > > __u64 tcc_disabled_mask; /* 360 8 */ > > /* size: 368, cachelines: 6, members: 49 */ > /* sum members: 364, holes: 1, sum holes: 4 */ > /* last cacheline: 48 bytes */ > }; > > drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c > index a8c47aecd342..0047da06041f 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c > @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file > return n ? -EFAULT : 0; > } > case AMDGPU_INFO_DEV_INFO: { > - struct drm_amdgpu_info_device dev_info = {}; > + struct drm_amdgpu_info_device dev_info; > uint64_t vm_size; > > + memset(&dev_info, 0, sizeof(dev_info)); > dev_info.device_id = dev->pdev->device; > dev_info.chip_rev = adev->rev_id; > dev_info.external_rev = adev->external_rev_id;