On 7/30/20 12:20 PM, Peilin Ye wrote:
rds_notify_queue_get() is potentially copying uninitialized kernel stack memory to userspace since the compiler may leave a 4-byte hole at the end of `cmsg`.In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which unfortunately does not always initialize that 4-byte hole. Fix it by using memset() instead. Cc: sta...@vger.kernel.org Fixes: f037590fff30 ("rds: fix a leak of kernel memory") Fixes: bdbe6fbc6a2f ("RDS: recv.c") Suggested-by: Dan Carpenter <dan.carpen...@oracle.com> Signed-off-by: Peilin Ye <yepeilin...@gmail.com> --- Note: the "real" copy_to_user() happens in put_cmsg(), where `cmlen - sizeof(*cm)` equals to `sizeof(cmsg)`. Reference: https://lwn.net/Articles/417989/ $ pahole -C "rds_rdma_notify" net/rds/recv.o struct rds_rdma_notify { __u64 user_token; /* 0 8 */ __s32 status; /* 8 4 */ /* size: 16, cachelines: 1, members: 2 */ /* padding: 4 */ /* last cacheline: 16 bytes */ }; net/rds/recv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Looks good. FWIW, Acked-by: Santosh Shilimkar <santosh.shilim...@oracle.com>
