Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1745706ybg; Thu, 30 Jul 2020 01:16:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJylBCuDh3qGlCBS3e7OXvmN7tJvKlq+qJLkGQdW2BVFoj6dPVamHcWaFfyMbTCKLLcB9MQY X-Received: by 2002:a05:6402:cb9:: with SMTP id cn25mr1527989edb.247.1596097018444; Thu, 30 Jul 2020 01:16:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596097018; cv=none; d=google.com; s=arc-20160816; b=q/ogkmLm1Hu6AHn5Oibbb6R+QmiR5USV2OCjbv4imDBzHMvUzhNsYOQQEgghugiODE GAx9ng/itSUmacdoV5SUWDfeJeQLgla2QmVqerQyqN/fdqzznUkNbK++VI3y1pyMZzVO cXr4keNHJHdN5eCggzjvNVFYI6o/Wzy/NbBvkvjrduQZMwKD8Mwwnv0HnURq2NiVf7BO uxKJDksnsR7cMGfnp7HaJU1LREsQ37fL4z71wVBevRqHYu0wkmBVbWN5nx1+c9qwPuc9 G/u6LkafJT7h7XQEouANAFax3rulQ0+zIJlwCgZ4APMSIYJySfpigz2blSbbOI3vNmpa YV5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=RMggscuU3oZ9iudl4AfpKBSsBDhQgdFLC2JTA3Vl5yM=; b=pktgIsA9/NBNF6oJol6WKHWJ22kA9PrjdGzX8nveE6Bq2Ulx5O4nosHnViv2WMMtnT F3kdoKk+ZTB8pEzUvzfeJIXLGkC7onb0Gs6swFdqupZRdutcbja3Pna1FgDHWzjbGpQs KU7ILr7TajszgTnBlCiIHikMeZA7Bjw+rMt2kwO4LY1bEI6d+6dpmhQscfF527gCWZxK hXh8nYw28oTm/spCUCzNjo+V5pndyTl0ENlacam4EG735Vpm/ddg+ogELwN88zLElXiT kHnhnW5jxr233iLoPtVpSD+EY/6iKfZWFO4WjMHLgbamXYf0m6Zz3j+1CjobHdAlWoXf 458w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l18si2803304edq.425.2020.07.30.01.16.36; Thu, 30 Jul 2020 01:16:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730257AbgG3IQJ (ORCPT + 99 others); Thu, 30 Jul 2020 04:16:09 -0400 Received: from mout.kundenserver.de ([212.227.17.10]:42273 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729424AbgG3IL1 (ORCPT ); Thu, 30 Jul 2020 04:11:27 -0400 Received: from mail-qt1-f173.google.com ([209.85.160.173]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.145]) with ESMTPSA (Nemesis) id 1MXpQA-1kHgrQ2420-00Y9g6; Thu, 30 Jul 2020 10:11:24 +0200 Received: by mail-qt1-f173.google.com with SMTP id o22so19471336qtt.13; Thu, 30 Jul 2020 01:11:24 -0700 (PDT) X-Gm-Message-State: AOAM53112YMrI1YItF6CAgt8WRH188Rba8WbZL8hhaq7oMHDM2b2KoD8 B28X5U6AwJylWSO5Cx6+RN/f/WA2+NzN4ZjAbEA= X-Received: by 2002:aed:2946:: with SMTP id s64mr1820401qtd.204.1596096683269; Thu, 30 Jul 2020 01:11:23 -0700 (PDT) MIME-Version: 1.0 References: <20200728141946.426245-1-yepeilin.cs@gmail.com> <20200729115157.8519-1-yepeilin.cs@gmail.com> <20200729125820.GB1840@kadam> In-Reply-To: From: Arnd Bergmann Date: Thu, 30 Jul 2020 10:11:07 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [Linux-kernel-mentees] [PATCH v2] block/floppy: Prevent kernel-infoleak in raw_cmd_copyout() To: Denis Efremov Cc: Dan Carpenter , Peilin Ye , Jens Axboe , "linux-kernel@vger.kernel.org" , linux-block , linux-kernel-mentees@lists.linuxfoundation.org, Kees Cook Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:WKfzjuFnGRw3OvhrL5U3oP+zdQSICdJwRT+YAQE6KeBvZrjXHix GK55VGH5GiV0guHajImKtAU5Fcp96pvBWq6WT9ecv259t9+hK5fpZV0xw1DXDl4Aw9CXMeQ vSi69vNoiAhaDQem+U6bZWtED9yTgTY8Dcg1phuGKq549XeTrPp9pRNxIj2YDUwwtHd8siD DskXfhI6XFiAE6LfrvMQA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:h4zwwkv9Zb4=:bjifiEJFF+2dRDosiT4ZYQ uSNW93BZu9jkT+VY/8nHNZ5gwgaRUI8LahdvzdoCaQ7jsIDqe6h9Q8RfujPWwZqFx4mMredwF TJ27Oega4jL3cA9i9JP+CwFOL6Jo6xkFiR8HsI0Y9TQW6/K4/y+cwhN3R5nK0AJWOTnSL1ifG BrKcIAJaPAwYiySOTGySxLd/5q8+bxtOwqapgOg5wM3VTtlQnPYT9znZ5ggxmPmPvXbvSHFKk tXPuCFVquhJidlGVnDTtUbhwO9Sz+ydrRaYTQ3f49UFJ1uX/3y3TrpCIKnFFD6mUSrC1EuY0Z cf8egNpV6OCpZdXWjocSQW6y3vJ4yAdEMqkwGgcyrNAlhCJ46/HxXStHRrkQZqWixjmTk9lG3 ycnAQzFQgp3w8NT17U8rz5YsvoUzpDo4UhLtQm/x8vT42fkHGgMTEUhFT8+ho3h9cFFNPvgcZ 8Cibx531qNTpi2qNW1q+jJLxWXt2VQYUyC/TKxMFhiTi18c1+zPoCwsazrPgzwPeQfSGCtdwO Q5/J/o6EEzLGz6kQkQcFIRKsSVxbUg5caeqYCjQLy61XkJPMNDxlkyPTtZBCBnGBnlkSVUtey XoQhu0hV6BlslSuJA5gv3KT10c85GDSeU8MCQGbCLxcrdCHF13zxGqO+GabOrvP+0iMhQ1z2r VTUT28txlY7esGHZ1iZIFB0wce1aHV+QqLfwjQBbTjBaRFB3MpNTUQNBaIwavXk8+RkFl8Mrj eL3UfxSTDx8xwyMEqulRdbvI6cKD3wfQxWGZA8v6spx6O+lgE2apB/9XVR5cXxu2LBogXMqjn 44DPp92fy4huvriFZDaPXUHkLP+2Bwb8bwZdqkT2OVgFnfNu/7xV2EynxWM4YSpKgdQWVUvPP AV8V4+gfWGCd8TN3Eb/5CMYwk75MKwPrWb6F6mOF+MJJUawSzEkf6+dpjw/zqYV0T+3zqrFLd GaqOFA1VdpZ3vvRXuq9U7EXgEQarzihhFtbarxFKm8gvy5BHzhNrg Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Wed, Jul 29, 2020 at 3:22 PM Denis Efremov wrote: > And checked for leaks on x86_64 with the script test.sh > $ cat test.sh > #!/bin/bash > > for i in 4.8 5 6 7 8 9 10 > do > ./run_container.sh gcc-$i $(pwd)/src $(pwd)/out bash -c 'gcc test.c; ./a.out' > ./run_container.sh gcc-$i $(pwd)/src $(pwd)/out bash -c 'gcc -O2 test.c; ./a.out' > ./run_container.sh gcc-$i $(pwd)/src $(pwd)/out bash -c 'gcc -O3 test.c; ./a.out' > done > > No leaks reported. Is it really possible this this kind of init, i.e. cmd = *ptr? The problem is that the behavior is dependent not just on the compiler version but also optimization flags, target architecture and specific structure layouts. Most of the time, both gcc and clang will initialize the whole structure rather than just the individual members, but you still can't be sure that this is true for all configurations that this code runs on, except by using CONFIG_GCC_PLUGIN_STRUCTLEAK. Kees pointed me to the lib/test_stackinit.c file in the kernel in which he has collected a number of combinations that are known to trigger the problem. What I see there though are only cases of struct initializers like struct test_big_hole var = { .one = arg->one, .two=arg->two, .three = arg->three, .four = arg->four }; but not the syntax used in the floppy driver: struct test_big_hole var = *arg; or the a constructor like struct test_big_hole var; var = (struct test_big_hole){ .one = arg->one, .two=arg->two, .three = arg->three, .four = arg->four }; Kees, do you know whether those two would behave differently? Would it make sense to also check for those, or am I perhaps misreading your code and it already gets checked? Arnd