Re: [Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user()

Tue, 28 Jul 2020 06:14:23 -0700 

On Tue, Jul 28, 2020 at 12:47:07PM +0300, Dan Carpenter wrote:
> On Mon, Jul 27, 2020 at 06:33:57PM -0400, Peilin Ye wrote:
> > On Mon, Jul 27, 2020 at 04:16:08PM +0300, Dan Carpenter wrote:
> > > drivers/block/floppy.c:3132 raw_cmd_copyout() warn: check that 'cmd' 
> > > doesn't leak information (struct has a hole after 'flags')
> > 
> > (Removed some Cc: recipients from the list.)
> > 
> > I'm not very sure, but I think this one is also a false positive.
> 
> No, it's a potential bug.  You're over thinking what Smatch is
> complaining about.  Arnd is right.
> 
>   3123  static int raw_cmd_copyout(int cmd, void __user *param,
>   3124                                    struct floppy_raw_cmd *ptr)
>   3125  {
>   3126          int ret;
>   3127  
>   3128          while (ptr) {
>   3129                  struct floppy_raw_cmd cmd = *ptr;
>                                               ^^^^^^^^^^
> The compiler can either do this assignment as an memcpy() or as a
> series of struct member assignments.  So the assignment can leave the
> struct hole uninitialized.

I see, I didn't realize this line could cause the issue. Thank you for
pointing this out, I will do this then send a patch:

diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 09079aee8dc4..398c261fd174 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3126,7 +3126,8 @@ static int raw_cmd_copyout(int cmd, void __user *param,
        int ret;

        while (ptr) {
-               struct floppy_raw_cmd cmd = *ptr;
+               struct floppy_raw_cmd cmd;
+               memcpy(&cmd, ptr, sizeof(cmd));
                cmd.next = NULL;
                cmd.kernel_data = NULL;
                ret = copy_to_user(param, &cmd, sizeof(cmd));

Thank you,
Peilin Ye

>   3130                  cmd.next = NULL;
>   3131                  cmd.kernel_data = NULL;
>   3132                  ret = copy_to_user(param, &cmd, sizeof(cmd));
>                                                   ^^^^
> potential info leak.
> 
>   3133                  if (ret)
>   3134                          return -EFAULT;
>   3135                  param += sizeof(struct floppy_raw_cmd);
>   3136                  if ((ptr->flags & FD_RAW_READ) && ptr->buffer_length) 
> {
>   3137                          if (ptr->length >= 0 &&
>   3138                              ptr->length <= ptr->buffer_length) {
>   3139                                  long length = ptr->buffer_length - 
> ptr->length;
>   3140                                  ret = fd_copyout(ptr->data, 
> ptr->kernel_data,
>   3141                                                   length);
>   3142                                  if (ret)
>   3143                                          return ret;
>   3144                          }
>   3145                  }
>   3146                  ptr = ptr->next;
>   3147          }
>   3148  
>   3149          return 0;
>   3150  }
> 
> regards,
> dan carpenter

Reply via email to