On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote:
> On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd'
> > doesn't leak information (struct has a hole after 'flags')
>
> (Removed some Cc: recipients from the list.)
>
> I'm not very sure, but I think this one is also a false positive.
No, it's a potential bug. You're over thinking what Smatch is
complaining about. Arnd is right.
3123 static int raw_cmd_copyout(int cmd, void __user *param,
3124 struct floppy_raw_cmd *ptr)
3125 {
3126 int ret;
3127
3128 while (ptr) {
3129 struct floppy_raw_cmd cmd = *ptr;
^^^^^^^^^^
The compiler can either do this assignment as an memcpy() or as a
series of struct member assignments. So the assignment can leave the
struct hole uninitialized.
3130 cmd.next = NULL;
3131 cmd.kernel_data = NULL;
3132 ret = copy_to_user(param, &cmd, sizeof(cmd));
^^^^
potential info leak.
3133 if (ret)
3134 return -EFAULT;
3135 param += sizeof(struct floppy_raw_cmd);
3136 if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) {
3137 if (ptr->length >= 0 &&
3138 ptr->length <= ptr->buffer_length) {
3139 long length = ptr->buffer_length -
ptr->length;
3140 ret = fd_copyout(ptr->data,
ptr->kernel_data,
3141 length);
3142 if (ret)
3143 return ret;
3144 }
3145 }
3146 ptr = ptr->next;
3147 }
3148
3149 return 0;
3150 }
regards,
dan carpenter
