From: bugzilla-daemon@bugzilla.kernel.org
To: linux-rdma@vger.kernel.org
Subject: [Bug 210973] New: info leaks in all kernel versions including android
Date: Wed, 30 Dec 2020 22:50:43 +0000 [thread overview]
Message-ID: <bug-210973-11804@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=210973
Bug ID: 210973
Summary: info leaks in all kernel versions including android
Product: Drivers
Version: 2.5
Kernel Version: latest
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: Infiniband/RDMA
Assignee: drivers_infiniband-rdma@kernel-bugs.osdl.org
Reporter: fxast243@gmail.com
Regression: No
While I audit android kernel source code , I noticed that there is an
Uninitialized data which could lead to info leak in ib_uverbs_create_ah
function. I download the source code from here
https://android.googlesource.com/kernel/common. Also it exists in the
linux-masters
https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408
# BUG
resp.ah_handle = uobj->id;
return uverbs_response(attrs, &resp, sizeof(resp));
# 1
static int ib_uverbs_create_ah(struct uverbs_attr_bundle *attrs)
{
struct ib_uverbs_create_ah cmd;
struct ib_uverbs_create_ah_resp resp; <== point to ah_handle and
driver_data
struct ib_uobject *uobj;
struct ib_pd *pd;
struct ib_ah *ah;
struct rdma_ah_attr attr = {};
int ret;
struct ib_device *ib_dev;
ret = uverbs_request(attrs, &cmd, sizeof(cmd));
if (ret)
ret
..etc
ah->uobject = uobj;
uobj->user_handle = cmd.user_handle;
uobj->object = ah;
uobj_put_obj_read(pd);
uobj_finalize_uobj_create(uobj, attrs);
resp.ah_handle = uobj->id; <==
// __u32 driver_data[0]; <== ??? Uninitialized data.
return uverbs_response(attrs, &resp, sizeof(resp)); <== memoey leaks
//include/uapi/rdma/ib_user_verbs.h
struct ib_uverbs_create_ah_resp {
__u32 ah_handle;
__u32 driver_data[0];
};
static int uverbs_response(struct uverbs_attr_bundle *attrs, const void *resp,
size_t resp_len)
{
int ret;
if (uverbs_attr_is_valid(attrs, UVERBS_ATTR_CORE_OUT))
return uverbs_copy_to_struct_or_zero(
attrs, UVERBS_ATTR_CORE_OUT, resp, resp_len);
if (copy_to_user(attrs->ucore.outbuf, resp,
min(attrs->ucore.outlen, resp_len))) <== copy data to
userspace
return -EFAULT;
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2020-12-30 22:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 22:50 bugzilla-daemon [this message]
2020-12-31 6:57 ` [Bug 210973] New: info leaks in all kernel versions including android Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-210973-11804@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.