Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp2477191ybg; Fri, 31 Jul 2020 00:11:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXM41Zy5Xn9M/0GfNTUtRcE7SgsSOlFV1FWiOxkTyiNO6jDTpXw8JxcR9WmXu75hTqa4Fu X-Received: by 2002:a05:6402:3048:: with SMTP id bu8mr2576302edb.367.1596179491923; Fri, 31 Jul 2020 00:11:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596179491; cv=none; d=google.com; s=arc-20160816; b=hIEzeEtdtTRGVUfxWTMlennlevoo9+2nnxnnWmFrM21SbkRp2ycelYYBkkNQnAinnv 7+Fthcofg4OrVK/MIZzslo/fQjUSHN3NvQ/tSEM0iuPtZIf7U9PZTzhtTbe4M8jJEuR1 8eRwCwUemeASUhV0SpG5BB4vHyoztbxOmRsQTY7LGR9qU9UzTIqv/gr9OGMpBQoaw2Vg dgiqclutsODguC4RQ4O6y7V9vTT3tVJ5DJQKEs3/eJrIv+yGo4LYL3+hrrJTkYjJ0x13 6c3vPC9klQx/K256stXSDXN1yXFxJCcVyJ7dOeBYy7kzXqFRwfC74+i5X6pMDaB9RxBe ST9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=SQucBjmxuIgom7c7bDNRfSTklc83K98IVr78NeBAONo=; b=f2oqk/e4xSgfVf+ttLFKd0009qmfXAaoM/+4wDFLRmoUCnfVLkccQkoJqcQWPXLCMp g7s31VOvkmtETgOfRi4fwi8MqaKGFtoTh+wTDlJKZn/9yWc33azwJKU+8v2NRh/cWEki k9UoGEqRoeMP06sNvzF2FpHBuUuiZCYQLzHTJbCYKhvdWCHeJ9/jjPXWQkXuhCHCNoio fwOLKLnSNXFzTDw4QhDTpdqng2AlpiezoxAZ6ajTFjOruSK6uVpLu12cOSejfOe/ac8j w5xuHqOcv+7HzcXQ2C1uqCfiqDT+lDJla6cfcoF5JTVcrPvjtF73XQB9u3ChH5EvKU4q popQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l7mivUnG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h22si4348586ejj.363.2020.07.31.00.11.09; Fri, 31 Jul 2020 00:11:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=l7mivUnG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731503AbgGaHLF (ORCPT + 99 others); Fri, 31 Jul 2020 03:11:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:36708 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731367AbgGaHLF (ORCPT ); Fri, 31 Jul 2020 03:11:05 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 01AEA20829; Fri, 31 Jul 2020 07:11:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596179464; bh=X/J2+wggs6Q/+dQEZBM7rPDCO1dMLe1HR5mFj7eHskc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=l7mivUnGiCm8GPMsG0EUxQkqb4xEooddqGRjlQ/mXhi7+nGoyhXyGuXO13fhPdcxK rt2gRV96hVA2pro+AhT6fSb6Wc5jnVgcRKARXsj5aZWjStbLclPOFxzAGKjtQ9bCxE RIlwYW7LSBcD0ahRmmF22pI7zVbssTSi2S36k1HI= Date: Fri, 31 Jul 2020 09:10:52 +0200 From: Greg Kroah-Hartman To: Christian =?iso-8859-1?Q?K=F6nig?= Cc: Luben Tuikov , Alex Deucher , Xiaojie Yuan , Thomas Zimmermann , Arnd Bergmann , David Airlie , Felix Kuehling , LKML , amd-gfx list , Nicholas Kazlauskas , Marek =?utf-8?B?T2zFocOhaw==?= , Hans de Goede , Trek , Maling list - DRI developers , Daniel Vetter , Alex Deucher , Evan Quan , Leo Liu , Peilin Ye , Dan Carpenter , linux-kernel-mentees@lists.linuxfoundation.org Subject: Re: [Linux-kernel-mentees] [PATCH] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Message-ID: <20200731071052.GA1522097@kroah.com> References: <20200728192924.441570-1-yepeilin.cs@gmail.com> <30b2a31f-77c2-56c1-ecde-875c6eea99d5@gmail.com> <8c5cf518-12d2-7495-7822-c7ebf8e61972@amd.com> <20200731065322.GA1518178@kroah.com> <690213fd-d3d2-2253-dcb2-367a65b34f38@amd.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <690213fd-d3d2-2253-dcb2-367a65b34f38@amd.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 31, 2020 at 08:57:53AM +0200, Christian K?nig wrote: > Am 31.07.20 um 08:53 schrieb Greg Kroah-Hartman: > > On Thu, Jul 30, 2020 at 05:09:07PM -0400, Luben Tuikov wrote: > > > On 2020-07-29 9:49 a.m., Alex Deucher wrote: > > > > On Wed, Jul 29, 2020 at 4:11 AM Christian K?nig > > > > wrote: > > > > > Am 28.07.20 um 21:29 schrieb Peilin Ye: > > > > > > Compiler leaves a 4-byte hole near the end of `dev_info`, causing > > > > > > amdgpu_info_ioctl() to copy uninitialized kernel stack memory to userspace > > > > > > when `size` is greater than 356. > > > > > > > > > > > > In 2015 we tried to fix this issue by doing `= {};` on `dev_info`, which > > > > > > unfortunately does not initialize that 4-byte hole. Fix it by using > > > > > > memset() instead. > > > > > > > > > > > > Cc: stable@vger.kernel.org > > > > > > Fixes: c193fa91b918 ("drm/amdgpu: information leak in amdgpu_info_ioctl()") > > > > > > Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") > > > > > > Suggested-by: Dan Carpenter > > > > > > Signed-off-by: Peilin Ye > > > > > Reviewed-by: Christian K?nig > > > > > > > > > > I can't count how many of those we have fixed over the years. > > > > > > > > > > At some point we should probably document that using "= {}" or "= { 0 }" > > > > > in the kernel is a really bad idea and should be avoided. > > > > Moreover, it seems like different compilers seem to behave relatively > > > > differently with these and we often get reports of warnings with these > > > > on clang. When in doubt, memset. > > > There are quite a few of those under drivers/gpu/drm, for "amd/", "scheduler/" > > > drm*.c files, > > > > > > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./scheduler/.*\.c" \) -exec egrep -n -- " *= *{ *(|NULL|0) *}" \{\} \+ | wc -l > > > 374 > > > $_ > > > > > > Out of which only 16 are of the non-ISO C variety, "= {}", > > > > > > $find . \( -regex "./drm.*\.c" -or -regex "./amd/.*\.c" -or -regex "./scheduler/.*\.c" \) -exec egrep -n -- " *= *{ *}" \{\} \+ | wc -l > > > 16 > > > $_ > > > > > > Perhaps the latter are the more pressing ones, since it is a C++ initializer and not a ISO C one. > > It only matters when we care copying the data to userspace, if it all > > stays in the kernel, all is fine. > > Well only as long as you don't try to compute a CRC32, MD5 or any > fingerprint for a hash from the bytes from the structure. > > Then it fails horrible and you wonder why the code doesn't works as > expected. True, but the number of times I have ever needed to do that to a structure for a driver is, um, never... If a structure ever needs to have that happen to it, I would sure hope the developer was aware of padding fields, otherwise, well, someone needs to take away their C language certification :) thanks, greg k-h