From: bugzilla-daemon@bugzilla.kernel.org
To: linux-scsi@vger.kernel.org
Subject: [Bug 214711] New: Memory leakage from kernel to user space
Date: Wed, 13 Oct 2021 20:58:40 +0000 [thread overview]
Message-ID: <bug-214711-11613@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=214711
Bug ID: 214711
Summary: Memory leakage from kernel to user space
Product: SCSI Drivers
Version: 2.5
Kernel Version: 5.15-rc5
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
Assignee: scsi_drivers-other@kernel-bugs.osdl.org
Reporter: bao00065@umn.edu
Regression: No
Hi Maintainer,
I just found an uninitialized value use bug that causes memory leakage from
kernel to user space. Here are the details:
Vulnerable function is in /drivers/scsi/scsi_ioctl.c
static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc,
void __user *arg)
{
#ifdef CONFIG_COMPAT
if (in_compat_syscall()) {
struct compat_cdrom_generic_command cgc32 = {
.buffer = (uintptr_t)(cgc->buffer),
.buflen = cgc->buflen,
.stat = cgc->stat,
.sense = (uintptr_t)(cgc->sense),
.data_direction = cgc->data_direction,
.quiet = cgc->quiet,
.timeout = cgc->timeout,
.unused = (uintptr_t)(cgc->unused),
};
memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE);
if (copy_to_user(arg, &cgc32, sizeof(cgc32)))
return -EFAULT;
return 0;
}
#endif
if (copy_to_user(arg, cgc, sizeof(*cgc)))
return -EFAULT;
return 0;
}
The issue is, struct cgc32 is partially initialized since pad[3] are not
initialized. Then this struct is passed to copy_to_user, and 3 bytes are leaked
from kernel space to userspace.
The struct is declared here:
struct compat_cdrom_generic_command {
unsigned char cmd[CDROM_PACKET_SIZE];
compat_caddr_t buffer;
compat_uint_t buflen;
compat_int_t stat;
compat_caddr_t sense;
unsigned char data_direction;
unsigned char pad[3];
compat_int_t quiet;
compat_int_t timeout;
compat_caddr_t unused;
};
#endif
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2021-10-13 20:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-13 20:58 bugzilla-daemon [this message]
2021-10-13 20:59 ` [Bug 214711] Memory leakage from kernel to user space in scsi_ioctl.c bugzilla-daemon
2021-10-14 4:06 ` bugzilla-daemon
2021-10-14 15:05 ` [Bug 214711] Information " bugzilla-daemon
2021-10-14 15:06 ` [Bug 214711] Information leak " bugzilla-daemon
2021-10-14 15:15 ` bugzilla-daemon
2021-10-14 15:16 ` bugzilla-daemon
2021-10-14 18:21 ` bugzilla-daemon
2021-10-16 21:30 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-214711-11613@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.