On Mon, Jul 27, 2020 at 04:05:38PM +0200, Arnd Bergmann wrote:
> On Mon, Jul 27, 2020 at 3:16 PM Dan Carpenter <dan.carpen...@oracle.com>
> wrote:
> >
> > On Mon, Jul 27, 2020 at 09:25:16AM +0200, Arnd Bergmann wrote:
> > > On Mon, Jul 27, 2020 at 12:28 AM Peilin Ye <yepeilin...@gmail.com> wrote:
> > > >
> > > > video_put_user() is copying uninitialized stack memory to userspace due
> > > > to the compiler not initializing holes in the structures declared on the
> > > > stack. Fix it by initializing `ev32` and `vb32` using memset().
> > > >
> > > > Reported-and-tested-by:
> > > > syzbot+79d751604cb6f29fb...@syzkaller.appspotmail.com
> > > > Link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59
> > > > Reviewed-by: Laurent Pinchart <laurent.pinch...@ideasonboard.com>
> > > > Signed-off-by: Peilin Ye <yepeilin...@gmail.com>
> > >
> > > Thanks a lot for addressing this! I now see that I actually created a
> > > similar
> > > bugfix for it back in January, but for some reason that got stuck in my
> > > backlog and I never wrote a proper description for it or sent it out to
> > > the
> > > list, sorry about that. I would hope we could find a way to have either
> > > the compiler or sparse warn if we copy uninitialized data to user space,
> > > but we now don't even check for that within the kernel any more.
> >
> > Here are my latest warnings on linux-next from Friday.
>
> Ah, I forgot you had that kind of list already, thanks for checking!
>
> > block/scsi_ioctl.c:707 scsi_put_cdrom_generic_arg() warn: check that
> > 'cgc32' doesn't leak information (struct has a hole after 'data_direction')
>
> I see no padding in this one, should be fine AFAICT. Any idea why you
> get a warning
> for this instance?
>
The warning message only prints the first struct hole or uninitialized
struct memeber. ->data_direction in this case.
block/scsi_ioctl.c
646 #ifdef CONFIG_COMPAT
647 struct compat_cdrom_generic_command {
648 unsigned char cmd[CDROM_PACKET_SIZE];
649 compat_caddr_t buffer;
650 compat_uint_t buflen;
651 compat_int_t stat;
652 compat_caddr_t sense;
653 unsigned char data_direction;
There is going to be 3 bytes of padding between this char and the next
int.
654 compat_int_t quiet;
655 compat_int_t timeout;
656 compat_caddr_t reserved[1];
657 };
658 #endif
The bug seems real, but it depends on the compiler of course.
> > drivers/input/misc/uinput.c:743 uinput_ff_upload_to_user() warn: check that
> > 'ff_up_compat' doesn't leak information (struct has a hole after 'replay')
>
> This one hs padding in it and looks broken.
No. This a bug in smatch. It's memcpy() over the hole, but the check
isn't capturing that. The code is slightly weird... I could try
silence the warning but it would only silence this one false positive so
I haven't investigated it.
>
> > drivers/input/misc/uinput.c:958 uinput_ioctl_handler() warn: check that
> > 'ff_up' doesn't leak information (struct has a hole after 'replay')
>
> hard to tell.
>
Looks ok, I think.
> > drivers/firewire/core-cdev.c:463 ioctl_get_info() warn: check that
> > 'bus_reset' doesn't leak information (struct has a hole after 'generation')
>
> broken, trivial to fix
>
> > drivers/scsi/megaraid/megaraid_mm.c:824 kioc_to_mimd() warn: check that
> > 'cinfo.base' doesn't leak information
>
> Seems fine due to __packed annotation.
>
It's not related __packed. Smatch is saying that cinfo.base isn't
necessarily initialized.
drivers/scsi/megaraid/megaraid_mm.c
816
817 case MEGAIOC_QADAPINFO:
818
819 hinfo = (mraid_hba_info_t *)(unsigned long)
820 kioc->buf_vaddr;
821
822 hinfo_to_cinfo(hinfo, &cinfo);
hinfo_to_cinfo() is a no-op if hinfo is NULL. Smatch can't tell if
"hinfo" is non-NULL.
823
824 if (copy_to_user(kmimd.data, &cinfo,
sizeof(cinfo)))
825 return (-EFAULT);
826
827 return 0;
828
> > drivers/gpio/gpiolib-cdev.c:473 lineevent_read() warn: check that 'ge'
> > doesn't leak information (struct has a hole after 'id')
>
> The driver seems to initialize the elements correctly before putting
> them into the kfifo, so there is no infoleak. However the structure layout
> of "struct gpioevent_data" is incompatible between x86-32 and x86-64
> calling conventions, so this is likely broken in x86 compat mode,
> unless user space can explicitly deal with the difference.
Smatch isn't parsing kfifo_out() correctly. It turns out that
kfifo_out() is slightly complicated for Smatch.
>
> > drivers/gpu/drm/i915/i915_query.c:136 query_engine_info() warn: check that
> > 'query.num_engines' doesn't leak information
>
> I don't think this leaks any state, as it just copies data to user space that
> it copied from there originally.
Yeah. copy_query_item() isn't parsed correctly. I've added this one
to my TODO list because it should parse this correctly.
regards,
dan carpenter
