From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Jiri Slaby <jirislaby@kernel.org>,
linux-serial@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: stack leak via uart_get_info() ?
Date: Thu, 5 Oct 2023 19:55:34 +0200 [thread overview]
Message-ID: <2023100517-washer-why-7513@gregkh> (raw)
In-Reply-To: <967b9ef1-fb36-48bf-9e6a-1b99af24c052@p183>
On Thu, Oct 05, 2023 at 07:34:21PM +0300, Alexey Dobriyan wrote:
> If this check ever triggers
>
> static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo)
> {
>
> uport = uart_port_check(state);
> if (!uport)
> goto out;
>
> then all those sysfs users will print stack contents to userspace.
>
> Can it trigger while sysfs read is executing?
I don't think it can ever fail, we don't even check the result in other
places, so it should all be fine.
> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
> ---
>
> --- a/drivers/tty/serial/serial_core.c
> +++ b/drivers/tty/serial/serial_core.c
> @@ -775,6 +775,8 @@ static int uart_get_info(struct tty_port *port, struct serial_struct *retinfo)
> struct uart_port *uport;
> int ret = -ENODEV;
>
> + *retinfo = (struct serial_struct){};
This is good (although I hate the implied memcpy), a real memset would
be best to ensure that any holes are also filled. Want to do that, or
want me to?
thanks,
greg k-h
next prev parent reply other threads:[~2023-10-05 17:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-05 16:34 stack leak via uart_get_info() ? Alexey Dobriyan
2023-10-05 17:55 ` Greg Kroah-Hartman [this message]
2023-10-05 18:44 ` Alexey Dobriyan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2023100517-washer-why-7513@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=adobriyan@gmail.com \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.