On Tue, Jul 28, 2020 at 12:47:07PM +0300, Dan Carpenter wrote: > On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote: > > On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote: > > > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' > > > doesn't leak information (struct has a hole after 'flags') > > > > (Removed some Cc: recipients from the list.) > > > > I'm not very sure, but I think this one is also a false positive. > > No, it's a potential bug. You're over thinking what Smatch is > complaining about. Arnd is right. > > 3123 static int raw_cmd_copyout(int cmd, void __user *param, > 3124 struct floppy_raw_cmd *ptr) > 3125 { > 3126 int ret; > 3127 > 3128 while (ptr) { > 3129 struct floppy_raw_cmd cmd = *ptr; > ^^^^^^^^^^ > The compiler can either do this assignment as an memcpy() or as a > series of struct member assignments. So the assignment can leave the > struct hole uninitialized.
I see, I didn't realize this line could cause the issue. Thank you for pointing this out, I will do this then send a patch: diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index 09079aee8dc4..398c261fd174 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -3126,7 +3126,8 @@ static int raw_cmd_copyout(int cmd, void __user *param, int ret; while (ptr) { - struct floppy_raw_cmd cmd = *ptr; + struct floppy_raw_cmd cmd; + memcpy(&cmd, ptr, sizeof(cmd)); cmd.next = NULL; cmd.kernel_data = NULL; ret = copy_to_user(param, &cmd, sizeof(cmd)); Thank you, Peilin Ye > 3130 cmd.next = NULL; > 3131 cmd.kernel_data = NULL; > 3132 ret = copy_to_user(param, &cmd, sizeof(cmd)); > ^^^^ > potential info leak. > > 3133 if (ret) > 3134 return -EFAULT; > 3135 param += sizeof(struct floppy_raw_cmd); > 3136 if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) > { > 3137 if (ptr->length >= 0 && > 3138 ptr->length <= ptr->buffer_length) { > 3139 long length = ptr->buffer_length - > ptr->length; > 3140 ret = fd_copyout(ptr->data, > ptr->kernel_data, > 3141 length); > 3142 if (ret) > 3143 return ret; > 3144 } > 3145 } > 3146 ptr = ptr->next; > 3147 } > 3148 > 3149 return 0; > 3150 } > > regards, > dan carpenter