Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1137940ybg; Wed, 29 Jul 2020 06:50:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwDlRqlLJzI5KGi0KFIrStEO3Pf1I6KY8oE+gaxcIALUGEI5VWT0akzihBZmc2VlnyV0UtC X-Received: by 2002:a17:906:e0c7:: with SMTP id gl7mr28813727ejb.264.1596030626532; Wed, 29 Jul 2020 06:50:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596030626; cv=none; d=google.com; s=arc-20160816; b=AaACWQzeVEsW/pjxGLD3+wGlr+xOH0O1+CBfp7sfUu4+57oMp6cxO2FLoEgCWM/KuT aeneLpQAuu7ynWAcofs7y85QYQeiYTJNsL21jAAI5Fxieb8bs8JWFeHY92JTMBJP4YuE BmGwdGDUk/tyQhrZYo13hXSs2EQfc3AmbTsqF6k8Y6ecGfX02zJlviv5C2MzdVW3YI8g UxSOI0oqKWunvXFCLGPaqTt6N9lX0Tx9yJWcQX9v7rfffs5UNAeJfBs0P9hL6gmtAwUr KesJY1zigjdiTYo8CQUj3uE1tj2cjYTgTQlsQCuzgedQPZoi9pDqyPJIAkmdzCHHYvDF +Wuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Et5z1sZLk52/qbAVghdHR+awPZijgneg8JJ3iKi6Rk8=; b=qImjmJdPIktrlPOAzm95RzrCysNcCUA07OIV0z2fSLloEN/w7zhySu82GbO1/kaGUb xOfkH/4shrOSv2tu5e+00X6FKVH7X7R5wfYPOeMlDmySFoUmciIu1VvlsjeGeTMgKtpa WIJN3EfqGy1gmzAvdx9NLTs05sjCo0TJHAq728pD6HLka/XNFd3psgCm6pf9TVts0Quq s2Uuj1Ix5yAeeVwG0mxkiJK9iG62EiZlgQoBWT6eqdjdl11h9oZ/Is+f2qBDfYpOMmPX qBWlzArVroETPOUk5gsOIRZHVQ2dqwrziQT91cC+9PuWtez2huSjlM9HYkDX+GY1iYwG +YCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kyntGUky; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o20si1077850ejg.120.2020.07.29.06.50.03; Wed, 29 Jul 2020 06:50:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kyntGUky; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726480AbgG2Nty (ORCPT + 99 others); Wed, 29 Jul 2020 09:49:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53504 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726054AbgG2Ntx (ORCPT ); Wed, 29 Jul 2020 09:49:53 -0400 Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C463AC061794 for ; Wed, 29 Jul 2020 06:49:52 -0700 (PDT) Received: by mail-wr1-x442.google.com with SMTP id y3so21721708wrl.4 for ; Wed, 29 Jul 2020 06:49:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Et5z1sZLk52/qbAVghdHR+awPZijgneg8JJ3iKi6Rk8=; b=kyntGUkyFBHeFFulXmAK7oxUUkHGYZm466Zwno9ogC+/uNaltAeVLdoGuDUWI2FhBv /5e9KVb8f5DIKK9utWXmQ+6oX/j4pajp9xcjuyoIxCB7EYNM2lzQLmQinPyI+L76Ork4 I87E5McdibOS8eYKSE6Do5hYP5MlPH6oHVoLsloXyRa7Ot+awzgAbWVkc63iedz5xHyz TrQRxVy7TmyU33DKkbKJ8SK51km7qA6LuVaYvsoaSSBqgwNqIR13NPAsdhlikegwL5Vw iBsQLiAwD9wjdRES/NsnSjhyuEeF6stpWTGFfdB9oZJ/FTJ+aojYfTPhWAzmy1zQnPob my8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Et5z1sZLk52/qbAVghdHR+awPZijgneg8JJ3iKi6Rk8=; b=BGnUiTI208Jjj1hlkqgpvuX3VEAHru6I4p6vAvtqBbMcGySgHfQjuUSfqonj64EaXL aYiho5iZpxJ/Xust5pymwtAKtTR2LI3rnOgrAF8h2zBhVqekIyOJC6Zdz+oMJg0RjIh9 Mz0BgOfjmc+zIbUdrY/1+mezvse5YwaHlj2sPcG5cnTg7RdhPZUimZMGyCro2QL0MfQy 9jC4FcdFR2H2fky5wy52Bm4ibsm1Xl1b7F8d7tD8lDofBueR2mCh+FGVuw6Sy6rFRQ9X DTl1p0OH6k/tOdtt1doOvapylDXzksKHM81yF5EZ1T0PfgCxh+1NXVnbhHO2562lXlZ9 KANg== X-Gm-Message-State: AOAM532MFBM6ReasqYdryfO464NdkRpfmYuMi4je3fUOUPLdZMFcZh7C H+TO6RAdPJjCpElV3X2IA1FADViMaL8xoIh7aQ0= X-Received: by 2002:adf:a351:: with SMTP id d17mr29291191wrb.111.1596030591452; Wed, 29 Jul 2020 06:49:51 -0700 (PDT) MIME-Version: 1.0 References: <20200728192924.441570-1-yepeilin.cs@gmail.com> <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> In-Reply-To: <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> From: Alex Deucher Date: Wed, 29 Jul 2020 09:49:40 -0400 Message-ID: Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() To: Christian Koenig Cc: Peilin Ye , Alex Deucher , David Airlie , Daniel Vetter , Leo Liu , Arnd Bergmann , Greg Kroah-Hartman , Felix Kuehling , LKML , amd-gfx list , =?UTF-8?B?TWFyZWsgT2zFocOhaw==?= , Hans de Goede , Trek , Maling list - DRI developers , Thomas Zimmermann , Evan Quan , linux-kernel-mentees@lists.linuxfoundation.org, Nicholas Kazlauskas , Dan Carpenter , Xiaojie Yuan Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 29, 2020 at 4:11 AM Christian K=C3=B6nig wrote: > > Am 28.07.20 um 21:29 schrieb Peilin Ye: > > Compiler leaves a 4-byte hole near the end of `dev_info`, causing > > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to usersp= ace > > when `size` is greater than 356. > > > > In 2015 we tried to fix this issue by doing `=3D {};` on `dev_info`, wh= ich > > unfortunately does not initialize that 4-byte hole. Fix it by using > > memset() instead. > > > > Cc: stable@vger.kernel.org > > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl= ()") > > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > > Suggested-by: Dan Carpenter > > Signed-off-by: Peilin Ye > > Reviewed-by: Christian K=C3=B6nig > > I can't count how many of those we have fixed over the years. > > At some point we should probably document that using "=3D {}" or "=3D { 0= }" > in the kernel is a really bad idea and should be avoided. Moreover, it seems like different compilers seem to behave relatively differently with these and we often get reports of warnings with these on clang. When in doubt, memset. Alex > > Thanks, > Christian. > > > --- > > $ pahole -C "drm_amdgpu_info_device" drivers/gpu/drm/amd/amdgpu/amdgpu_= kms.o > > struct drm_amdgpu_info_device { > > __u32 device_id; /* 0 4 *= / > > __u32 chip_rev; /* 4 4 *= / > > __u32 external_rev; /* 8 4 *= / > > __u32 pci_rev; /* 12 4 *= / > > __u32 family; /* 16 4 *= / > > __u32 num_shader_engines; /* 20 4 *= / > > __u32 num_shader_arrays_per_engine; /* 24= 4 */ > > __u32 gpu_counter_freq; /* 28 4 *= / > > __u64 max_engine_clock; /* 32 8 *= / > > __u64 max_memory_clock; /* 40 8 *= / > > __u32 cu_active_number; /* 48 4 *= / > > __u32 cu_ao_mask; /* 52 4 *= / > > __u32 cu_bitmap[4][4]; /* 56 64 *= / > > /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */ > > __u32 enabled_rb_pipes_mask; /* 120 4 = */ > > __u32 num_rb_pipes; /* 124 4 *= / > > /* --- cacheline 2 boundary (128 bytes) --- */ > > __u32 num_hw_gfx_contexts; /* 128 4 *= / > > __u32 _pad; /* 132 4 *= / > > __u64 ids_flags; /* 136 8 *= / > > __u64 virtual_address_offset; /* 144 8= */ > > __u64 virtual_address_max; /* 152 8 *= / > > __u32 virtual_address_alignment; /* 160 = 4 */ > > __u32 pte_fragment_size; /* 164 4 *= / > > __u32 gart_page_size; /* 168 4 *= / > > __u32 ce_ram_size; /* 172 4 *= / > > __u32 vram_type; /* 176 4 *= / > > __u32 vram_bit_width; /* 180 4 *= / > > __u32 vce_harvest_config; /* 184 4 *= / > > __u32 gc_double_offchip_lds_buf; /* 188 = 4 */ > > /* --- cacheline 3 boundary (192 bytes) --- */ > > __u64 prim_buf_gpu_addr; /* 192 8 *= / > > __u64 pos_buf_gpu_addr; /* 200 8 *= / > > __u64 cntl_sb_buf_gpu_addr; /* 208 8 *= / > > __u64 param_buf_gpu_addr; /* 216 8 *= / > > __u32 prim_buf_size; /* 224 4 *= / > > __u32 pos_buf_size; /* 228 4 *= / > > __u32 cntl_sb_buf_size; /* 232 4 *= / > > __u32 param_buf_size; /* 236 4 *= / > > __u32 wave_front_size; /* 240 4 *= / > > __u32 num_shader_visible_vgprs; /* 244 = 4 */ > > __u32 num_cu_per_sh; /* 248 4 *= / > > __u32 num_tcc_blocks; /* 252 4 *= / > > /* --- cacheline 4 boundary (256 bytes) --- */ > > __u32 gs_vgt_table_depth; /* 256 4 *= / > > __u32 gs_prim_buffer_depth; /* 260 4 *= / > > __u32 max_gs_waves_per_vgt; /* 264 4 *= / > > __u32 _pad1; /* 268 4 *= / > > __u32 cu_ao_bitmap[4][4]; /* 272 64 *= / > > /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */ > > __u64 high_va_offset; /* 336 8 *= / > > __u64 high_va_max; /* 344 8 *= / > > __u32 pa_sc_tile_steering_override; /* 352= 4 */ > > > > /* XXX 4 bytes hole, try to pack */ > > > > __u64 tcc_disabled_mask; /* 360 8 *= / > > > > /* size: 368, cachelines: 6, members: 49 */ > > /* sum members: 364, holes: 1, sum holes: 4 */ > > /* last cacheline: 48 bytes */ > > }; > > > > drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/= amd/amdgpu/amdgpu_kms.c > > index a8c47aecd342..0047da06041f 100644 > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c > > @@ -707,9 +707,10 @@ static int amdgpu_info_ioctl(struct drm_device *de= v, void *data, struct drm_file > > return n ? -EFAULT : 0; > > } > > case AMDGPU_INFO_DEV_INFO: { > > - struct drm_amdgpu_info_device dev_info =3D {}; > > + struct drm_amdgpu_info_device dev_info; > > uint64_t vm_size; > > > > + memset(&dev_info, 0, sizeof(dev_info)); > > dev_info.device_id =3D dev->pdev->device; > > dev_info.chip_rev =3D adev->rev_id; > > dev_info.external_rev =3D adev->external_rev_id; > > _______________________________________________ > amd-gfx mailing list > amd-gfx@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/amd-gfx