* [PATCH 6/8] char: synclink: fix information leak to userland
@ 2010-10-17 14:41 Vasiliy Kulikov
2010-10-17 15:34 ` Jiri Slaby
0 siblings, 1 reply; 7+ messages in thread
From: Vasiliy Kulikov @ 2010-10-17 14:41 UTC (permalink / raw)
To: kernel-janitors
Cc: Greg Kroah-Hartman, Alan Cox, Jiri Slaby, Arnd Bergmann,
linux-kernel
Structure new_line is copied to userland with some padding fields unitialized.
It leads to leaking of stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
---
Compile tested.
drivers/char/synclink.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
index 3a6824f..abd0867 100644
--- a/drivers/char/synclink.c
+++ b/drivers/char/synclink.c
@@ -7846,6 +7846,8 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
if (cmd != SIOCWANDEV)
return hdlc_ioctl(dev, ifr, cmd);
+ memset(&new_line, 0, size);
+
switch(ifr->ifr_settings.type) {
case IF_GET_IFACE: /* return current sync_serial_settings */
--
1.7.0.4
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH 6/8] char: synclink: fix information leak to userland
2010-10-17 14:41 [PATCH 6/8] char: synclink: fix information leak to userland Vasiliy Kulikov
@ 2010-10-17 15:34 ` Jiri Slaby
2010-10-17 15:38 ` Vasiliy Kulikov
0 siblings, 1 reply; 7+ messages in thread
From: Jiri Slaby @ 2010-10-17 15:34 UTC (permalink / raw)
To: Vasiliy Kulikov
Cc: kernel-janitors, Greg Kroah-Hartman, Alan Cox, Arnd Bergmann,
linux-kernel
On 10/17/2010 04:41 PM, Vasiliy Kulikov wrote:
> Structure new_line is copied to userland with some padding fields unitialized.
> It leads to leaking of stack memory.
I think your tool has a bug. I must admit I fail to see the padding
which would cause leaks. Could you elaborate?
> Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> ---
> Compile tested.
>
> drivers/char/synclink.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
> index 3a6824f..abd0867 100644
> --- a/drivers/char/synclink.c
> +++ b/drivers/char/synclink.c
> @@ -7846,6 +7846,8 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
> if (cmd != SIOCWANDEV)
> return hdlc_ioctl(dev, ifr, cmd);
>
> + memset(&new_line, 0, size);
> +
> switch(ifr->ifr_settings.type) {
> case IF_GET_IFACE: /* return current sync_serial_settings */
>
--
js
suse labs
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 6/8] char: synclink: fix information leak to userland
2010-10-17 15:34 ` Jiri Slaby
@ 2010-10-17 15:38 ` Vasiliy Kulikov
2010-10-17 17:36 ` Dan Carpenter
2010-10-17 17:46 ` Jiri Slaby
0 siblings, 2 replies; 7+ messages in thread
From: Vasiliy Kulikov @ 2010-10-17 15:38 UTC (permalink / raw)
To: Jiri Slaby
Cc: kernel-janitors, Greg Kroah-Hartman, Alan Cox, Arnd Bergmann,
linux-kernel
On Sun, Oct 17, 2010 at 17:34 +0200, Jiri Slaby wrote:
> On 10/17/2010 04:41 PM, Vasiliy Kulikov wrote:
> > Structure new_line is copied to userland with some padding fields unitialized.
> > It leads to leaking of stack memory.
>
> I think your tool has a bug. I must admit I fail to see the padding
> which would cause leaks. Could you elaborate?
I didn't use any tool except "grep copy_to_user" :)
typedef struct {
unsigned int clock_rate; /* bits per second */
unsigned int clock_type; /* internal, external, TX-internal etc. */
unsigned short loopback;
} sync_serial_settings; /* V.35, V.24, X.21 */
On x86_64 sizeof(sync_serial_settings) = 4 + 4 + 2 + 2 = 12.
The last 2 is padding.
>
> > Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
> > ---
> > Compile tested.
> >
> > drivers/char/synclink.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/char/synclink.c b/drivers/char/synclink.c
> > index 3a6824f..abd0867 100644
> > --- a/drivers/char/synclink.c
> > +++ b/drivers/char/synclink.c
> > @@ -7846,6 +7846,8 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
> > if (cmd != SIOCWANDEV)
> > return hdlc_ioctl(dev, ifr, cmd);
> >
> > + memset(&new_line, 0, size);
> > +
> > switch(ifr->ifr_settings.type) {
> > case IF_GET_IFACE: /* return current sync_serial_settings */
> >
>
>
> --
> js
> suse labs
--
Vasiliy
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 6/8] char: synclink: fix information leak to userland
2010-10-17 15:38 ` Vasiliy Kulikov
@ 2010-10-17 17:36 ` Dan Carpenter
2010-10-17 17:50 ` Vasiliy Kulikov
2010-10-17 17:46 ` Jiri Slaby
1 sibling, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2010-10-17 17:36 UTC (permalink / raw)
To: Vasiliy Kulikov
Cc: Jiri Slaby, kernel-janitors, Greg Kroah-Hartman, Alan Cox,
Arnd Bergmann, linux-kernel
On Sun, Oct 17, 2010 at 07:38:39PM +0400, Vasiliy Kulikov wrote:
> On Sun, Oct 17, 2010 at 17:34 +0200, Jiri Slaby wrote:
> > On 10/17/2010 04:41 PM, Vasiliy Kulikov wrote:
> > > Structure new_line is copied to userland with some padding fields unitialized.
> > > It leads to leaking of stack memory.
> >
> > I think your tool has a bug. I must admit I fail to see the padding
> > which would cause leaks. Could you elaborate?
>
> I didn't use any tool except "grep copy_to_user" :)
>
It seems like you should be able to use pahole to make a list of
structs with padding and then a checker script to find places where
information is leaked.
Also someone complained to me about when I added a memset() in a fast
path. The thought was that it might be faster to just initialize it
instead like:
struct foo bar = {};
In my case just using the initializer made the code cleaner so I did it,
but neither of us actually benchmarked it.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 6/8] char: synclink: fix information leak to userland
2010-10-17 17:36 ` Dan Carpenter
@ 2010-10-17 17:50 ` Vasiliy Kulikov
0 siblings, 0 replies; 7+ messages in thread
From: Vasiliy Kulikov @ 2010-10-17 17:50 UTC (permalink / raw)
To: Dan Carpenter, Jiri Slaby, kernel-janitors, Greg Kroah-Hartman,
Alan Cox, Arnd Bergmann, linux-kernel
On Sun, Oct 17, 2010 at 19:36 +0200, Dan Carpenter wrote:
> On Sun, Oct 17, 2010 at 07:38:39PM +0400, Vasiliy Kulikov wrote:
> > On Sun, Oct 17, 2010 at 17:34 +0200, Jiri Slaby wrote:
> > > On 10/17/2010 04:41 PM, Vasiliy Kulikov wrote:
> > > > Structure new_line is copied to userland with some padding fields unitialized.
> > > > It leads to leaking of stack memory.
> > >
> > > I think your tool has a bug. I must admit I fail to see the padding
> > > which would cause leaks. Could you elaborate?
> >
> > I didn't use any tool except "grep copy_to_user" :)
> >
>
> It seems like you should be able to use pahole to make a list of
> structs with padding and then a checker script to find places where
> information is leaked.
Not all of these patches fix only padding zeroing, some of them fix
uninitialized fields. One struct has partly initialized array.
> Also someone complained to me about when I added a memset() in a fast
> path.
All these cases are ioctl() handlers or similar. I don't think ioctl()
should be so fast to become significantly slower with single memset().
> The thought was that it might be faster to just initialize it
> instead like:
>
> struct foo bar = {};
>
> In my case just using the initializer made the code cleaner so I did it,
> but neither of us actually benchmarked it.
>
> regards,
> dan carpenter
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Thanks,
--
Vasiliy
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 6/8] char: synclink: fix information leak to userland
2010-10-17 15:38 ` Vasiliy Kulikov
2010-10-17 17:36 ` Dan Carpenter
@ 2010-10-17 17:46 ` Jiri Slaby
2010-10-17 17:55 ` Vasiliy Kulikov
1 sibling, 1 reply; 7+ messages in thread
From: Jiri Slaby @ 2010-10-17 17:46 UTC (permalink / raw)
To: Vasiliy Kulikov
Cc: kernel-janitors, Greg Kroah-Hartman, Alan Cox, Arnd Bergmann,
linux-kernel
On 10/17/2010 05:38 PM, Vasiliy Kulikov wrote:
> On Sun, Oct 17, 2010 at 17:34 +0200, Jiri Slaby wrote:
>> On 10/17/2010 04:41 PM, Vasiliy Kulikov wrote:
>>> Structure new_line is copied to userland with some padding fields unitialized.
>>> It leads to leaking of stack memory.
>>
>> I think your tool has a bug. I must admit I fail to see the padding
>> which would cause leaks. Could you elaborate?
>
> I didn't use any tool except "grep copy_to_user" :)
>
> typedef struct {
> unsigned int clock_rate; /* bits per second */
> unsigned int clock_type; /* internal, external, TX-internal etc. */
> unsigned short loopback;
> } sync_serial_settings; /* V.35, V.24, X.21 */
>
> On x86_64 sizeof(sync_serial_settings) = 4 + 4 + 2 + 2 = 12.
> The last 2 is padding.
Ah, good to know that even end of structures is padded.
thanks for clarification,
--
js
suse labs
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 6/8] char: synclink: fix information leak to userland
2010-10-17 17:46 ` Jiri Slaby
@ 2010-10-17 17:55 ` Vasiliy Kulikov
0 siblings, 0 replies; 7+ messages in thread
From: Vasiliy Kulikov @ 2010-10-17 17:55 UTC (permalink / raw)
To: Jiri Slaby
Cc: kernel-janitors, Greg Kroah-Hartman, Alan Cox, Arnd Bergmann,
linux-kernel
On Sun, Oct 17, 2010 at 19:46 +0200, Jiri Slaby wrote:
> On 10/17/2010 05:38 PM, Vasiliy Kulikov wrote:
> > On Sun, Oct 17, 2010 at 17:34 +0200, Jiri Slaby wrote:
> >> On 10/17/2010 04:41 PM, Vasiliy Kulikov wrote:
> >>> Structure new_line is copied to userland with some padding fields unitialized.
> >>> It leads to leaking of stack memory.
> >>
> >> I think your tool has a bug. I must admit I fail to see the padding
> >> which would cause leaks. Could you elaborate?
> >
> > I didn't use any tool except "grep copy_to_user" :)
> >
> > typedef struct {
> > unsigned int clock_rate; /* bits per second */
> > unsigned int clock_type; /* internal, external, TX-internal etc. */
> > unsigned short loopback;
> > } sync_serial_settings; /* V.35, V.24, X.21 */
> >
> > On x86_64 sizeof(sync_serial_settings) = 4 + 4 + 2 + 2 = 12.
> > The last 2 is padding.
>
> Ah, good to know that even end of structures is padded.
The rule here is that array of struct has no padding between struct
elements. So, struct has padding in the end to have good alignment of
the first field of the next array element.
Thanks,
--
Vasiliy
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-10-17 17:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-17 14:41 [PATCH 6/8] char: synclink: fix information leak to userland Vasiliy Kulikov
2010-10-17 15:34 ` Jiri Slaby
2010-10-17 15:38 ` Vasiliy Kulikov
2010-10-17 17:36 ` Dan Carpenter
2010-10-17 17:50 ` Vasiliy Kulikov
2010-10-17 17:46 ` Jiri Slaby
2010-10-17 17:55 ` Vasiliy Kulikov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox