2013-04-21 11:10:36

by Dan Carpenter

[permalink] [raw]
Subject: [patch] gru: info leak in gru_get_config_info()

The "info.fill" array isn't initialized so it can leak uninitialized
stack information to user space.

Signed-off-by: Dan Carpenter <[email protected]>

diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
index 44d273c..ed5fc43 100644
--- a/drivers/misc/sgi-gru/grufile.c
+++ b/drivers/misc/sgi-gru/grufile.c
@@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;
info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
+ memset(&info.fill, 0, sizeof(info.fill));

if (copy_to_user((void __user *)arg, &info, sizeof(info)))
return -EFAULT;


2013-04-21 12:06:06

by Walter Harms

[permalink] [raw]
Subject: Re: [patch] gru: info leak in gru_get_config_info()



Am 21.04.2013 13:10, schrieb Dan Carpenter:
> The "info.fill" array isn't initialized so it can leak uninitialized
> stack information to user space.
>
> Signed-off-by: Dan Carpenter <[email protected]>
>
> diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> index 44d273c..ed5fc43 100644
> --- a/drivers/misc/sgi-gru/grufile.c
> +++ b/drivers/misc/sgi-gru/grufile.c
> @@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;
> info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
> + memset(&info.fill, 0, sizeof(info.fill));
>

the other way around (clear first all bytes) looks more easy
in case someone will add more elements to the struct.

memset(&info, 0, sizeof(info));
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;
....

re,
wh


> if (copy_to_user((void __user *)arg, &info, sizeof(info)))
> return -EFAULT;
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

2013-04-21 13:19:07

by Robin Holt

[permalink] [raw]
Subject: Re: [patch] gru: info leak in gru_get_config_info()

On Sun, Apr 21, 2013 at 01:56:57PM +0200, walter harms wrote:
>
>
> Am 21.04.2013 13:10, schrieb Dan Carpenter:
> > The "info.fill" array isn't initialized so it can leak uninitialized
> > stack information to user space.
> >
> > Signed-off-by: Dan Carpenter <[email protected]>
> >
> > diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> > index 44d273c..ed5fc43 100644
> > --- a/drivers/misc/sgi-gru/grufile.c
> > +++ b/drivers/misc/sgi-gru/grufile.c
> > @@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
> > info.nodes = num_online_nodes();
> > info.blades = info.nodes / nodesperblade;
> > info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
> > + memset(&info.fill, 0, sizeof(info.fill));
> >
>
> the other way around (clear first all bytes) looks more easy
> in case someone will add more elements to the struct.
>
> memset(&info, 0, sizeof(info));
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;

That does seem more safe.

Robin

2013-04-21 17:01:17

by Dan Carpenter

[permalink] [raw]
Subject: [patch v2] gru: info leak in gru_get_config_info()

The "info.fill" array isn't initialized so it can leak uninitialized
stack information to user space.

Signed-off-by: Dan Carpenter <[email protected]>
---
v2: style changes

diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
index 44d273c..0535d1e 100644
--- a/drivers/misc/sgi-gru/grufile.c
+++ b/drivers/misc/sgi-gru/grufile.c
@@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
nodesperblade = 2;
else
nodesperblade = 1;
+ memset(&info, 0, sizeof(info));
info.cpus = num_online_cpus();
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;

2013-04-21 17:33:51

by Dimitri Sivanich

[permalink] [raw]
Subject: Re: [patch v2] gru: info leak in gru_get_config_info()

Acked-by: Dimitri Sivanich <[email protected]>

On Sun, Apr 21, 2013 at 08:01:07PM +0300, Dan Carpenter wrote:
> The "info.fill" array isn't initialized so it can leak uninitialized
> stack information to user space.
>
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> v2: style changes
>
> diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> index 44d273c..0535d1e 100644
> --- a/drivers/misc/sgi-gru/grufile.c
> +++ b/drivers/misc/sgi-gru/grufile.c
> @@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
> nodesperblade = 2;
> else
> nodesperblade = 1;
> + memset(&info, 0, sizeof(info));
> info.cpus = num_online_cpus();
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;

2013-04-22 16:41:21

by Robin Holt

[permalink] [raw]
Subject: Re: [patch v2] gru: info leak in gru_get_config_info()

Acked-by: Robin Holt <[email protected]>
On Sun, Apr 21, 2013 at 12:33:34PM -0500, Dimitri Sivanich wrote:
> Acked-by: Dimitri Sivanich <[email protected]>
>
> On Sun, Apr 21, 2013 at 08:01:07PM +0300, Dan Carpenter wrote:
> > The "info.fill" array isn't initialized so it can leak uninitialized
> > stack information to user space.
> >
> > Signed-off-by: Dan Carpenter <[email protected]>
> > ---
> > v2: style changes
> >
> > diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> > index 44d273c..0535d1e 100644
> > --- a/drivers/misc/sgi-gru/grufile.c
> > +++ b/drivers/misc/sgi-gru/grufile.c
> > @@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
> > nodesperblade = 2;
> > else
> > nodesperblade = 1;
> > + memset(&info, 0, sizeof(info));
> > info.cpus = num_online_cpus();
> > info.nodes = num_online_nodes();
> > info.blades = info.nodes / nodesperblade;
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/