From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH] media: omap3isp: Use struct_group() for memcpy() region
Date: Wed, 15 Dec 2021 16:05:05 -0600 [thread overview]
Message-ID: <20211215220505.GB21862@embeddedor> (raw)
In-Reply-To: <202112150937.8E4974D35@keescook>
On Wed, Dec 15, 2021 at 09:38:55AM -0800, Kees Cook wrote:
> On Mon, Dec 13, 2021 at 05:24:16PM -0600, Gustavo A. R. Silva wrote:
> > On Thu, Nov 18, 2021 at 10:43:52AM -0800, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > > intentionally writing across neighboring fields. Wrap the target region
> > > in struct_group(). This additionally fixes a theoretical misalignment
> > > of the copy (since the size of "buf" changes between 64-bit and 32-bit,
> > > but this is likely never built for 64-bit).
> > >
> > > FWIW, I think this code is totally broken on 64-bit (which appears to
> > > not be a "real" build configuration): it would either always fail (with
> > > an uninitialized data->buf_size) or would cause corruption in userspace
> > > due to the copy_to_user() in the call path against an uninitialized
> > > data->buf value:
> > >
> > > omap3isp_stat_request_statistics_time32(...)
> > > struct omap3isp_stat_data data64;
> > > ...
> > > omap3isp_stat_request_statistics(stat, &data64);
> > >
> > > int omap3isp_stat_request_statistics(struct ispstat *stat,
> > > struct omap3isp_stat_data *data)
> > > ...
> > > buf = isp_stat_buf_get(stat, data);
> > >
> > > static struct ispstat_buffer *isp_stat_buf_get(struct ispstat *stat,
> > > struct omap3isp_stat_data *data)
> > > ...
> > > if (buf->buf_size > data->buf_size) {
> > > ...
> > > return ERR_PTR(-EINVAL);
> > > }
> > > ...
> > > rval = copy_to_user(data->buf,
> > > buf->virt_addr,
> > > buf->buf_size);
> > >
> > > Regardless, additionally initialize data64 to be zero-filled to avoid
> > > undefined behavior.
> > >
> > > Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data")
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > > ---
> > > drivers/media/platform/omap3isp/ispstat.c | 5 +++--
> > > include/uapi/linux/omap3isp.h | 21 +++++++++++++--------
> > > 2 files changed, 16 insertions(+), 10 deletions(-)
> > >
> > > diff --git a/drivers/media/platform/omap3isp/ispstat.c b/drivers/media/platform/omap3isp/ispstat.c
> > > index 5b9b57f4d9bf..68cf68dbcace 100644
> > > --- a/drivers/media/platform/omap3isp/ispstat.c
> > > +++ b/drivers/media/platform/omap3isp/ispstat.c
> > > @@ -512,7 +512,7 @@ int omap3isp_stat_request_statistics(struct ispstat *stat,
> > > int omap3isp_stat_request_statistics_time32(struct ispstat *stat,
> > > struct omap3isp_stat_data_time32 *data)
> > > {
> > > - struct omap3isp_stat_data data64;
> > > + struct omap3isp_stat_data data64 = { };
> > > int ret;
> > >
> > > ret = omap3isp_stat_request_statistics(stat, &data64);
> > > @@ -521,7 +521,8 @@ int omap3isp_stat_request_statistics_time32(struct ispstat *stat,
> > >
> > > data->ts.tv_sec = data64.ts.tv_sec;
> > > data->ts.tv_usec = data64.ts.tv_usec;
> > > - memcpy(&data->buf, &data64.buf, sizeof(*data) - sizeof(data->ts));
> > > + data->buf = (uintptr_t)data64.buf;
> >
> > Shouldn't this be
> >
> > data->buf = (uintptr_t)(void *)data64.buf;
> >
> > instead?
>
> This is already a void *:
>
> struct omap3isp_stat_data {
> ...
> void __user *buf;
> };
>
> But I agree, the mix of structures in here is confusing! :)
Yep; you're right. :)
Thanks
--
Gustavo
prev parent reply other threads:[~2021-12-15 21:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-18 18:43 [PATCH] media: omap3isp: Use struct_group() for memcpy() region Kees Cook
2021-12-13 23:24 ` Gustavo A. R. Silva
2021-12-15 17:38 ` Kees Cook
2021-12-15 22:05 ` Gustavo A. R. Silva [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211215220505.GB21862@embeddedor \
--to=gustavoars@kernel.org \
--cc=arnd@arndb.de \
--cc=keescook@chromium.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.