Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932534Ab0KWAU6 (ORCPT ); Mon, 22 Nov 2010 19:20:58 -0500 Received: from mail-wy0-f174.google.com ([74.125.82.174]:47077 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932065Ab0KWAU4 (ORCPT ); Mon, 22 Nov 2010 19:20:56 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=jROEqz8Cy6ltCVIa/5KSZN0vSkbUmAFFFR0D0Fo+Ed1qakj/te67NNv33MUFS6Xri5 kOUQbDXjcB1oFIkWnW7wlzpFpXJDhZ2T/DOAQcnba5fFbL+jg2dAdkSL1MCl/JD8q03j uPV9onzd9FZQG1FXIP384beIWC/PEpM02+nZw= Subject: Re: [PATCH v2] fs: select: fix information leak to userspace From: Eric Dumazet To: Andrew Morton Cc: Boaz Harrosh , Vasiliy Kulikov , Andreas Dilger , kernel-janitors@vger.kernel.org, Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Jakub Jelinek In-Reply-To: <20101122155043.fbbb74f4.akpm@linux-foundation.org> References: <1289421483-23907-1-git-send-email-segooon@gmail.com> <20101112120834.33062900.akpm@linux-foundation.org> <8D90F8B2-EA29-4EB9-9807-294CE0D5523B@dilger.ca> <20101114092533.GB5323@albatros> <20101114180643.593d19ac.akpm@linux-foundation.org> <1289848341.2607.125.camel@edumazet-laptop> <4CE268C8.5010203@panasas.com> <20101122155043.fbbb74f4.akpm@linux-foundation.org> Content-Type: text/plain; charset="UTF-8" Date: Tue, 23 Nov 2010 01:20:48 +0100 Message-ID: <1290471649.2704.24.camel@edumazet-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1447 Lines: 77 Le lundi 22 novembre 2010 à 15:50 -0800, Andrew Morton a écrit : > Well. We certainly assume in many places that > > struct foo { > int a; > int b; > } f = { > .a = 1, > }; > > will initialise b to zero. But I doubt if much code at all assumes > that this initialisation patterm will reliably zero out *holes* in the > struct. > We did such assertions in the past, we were wrong. Check commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8 for an example (net sched: fix some kernel memory leaks) I guess we must make a full audit of all C99 initializers or structures copied to userspace, giving a name to hidden holes, to force gcc to init them to 0. # cat try.c struct s { char c; long l; }; void bar(void *v) { unsigned long *p = v; printf("%lx %lx\n", p[0], p[1]); } int main() { struct s s1 = { .c = 1, .l = 2, }; bar(&s1); return 0; } # gcc -O2 -o try try.c # ./try 8049401 2 Strangely, if we remove ".l = 2," line, gcc emits code to clear al the fields main: pushl %ebp movl %esp, %ebp andl $-16, %esp subl $32, %esp leal 24(%esp), %eax movl $0, 24(%esp) movl %eax, (%esp) movl $0, 28(%esp) movb $1, 24(%esp) call bar xorl %eax, %eax leave ret -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/