From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roland Dreier Date: Thu, 11 Nov 2010 00:01:08 +0000 Subject: Re: [PATCH] infiniband: core: fix information leak to userland Message-Id: List-Id: References: <1289054481-18145-1-git-send-email-segooon@gmail.com> In-Reply-To: <1289054481-18145-1-git-send-email-segooon-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> (Vasiliy Kulikov's message of "Sat, 6 Nov 2010 17:41:20 +0300") MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Vasiliy Kulikov Cc: kernel-janitors-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Roland Dreier , Sean Hefty , Hal Rosenstock , Alex Chiang , Andi Kleen , Greg Kroah-Hartman , Julia Lawall , linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Structure ib_uverbs_qp_attr is copied to userland with allmost all > fields uninitialized (140 bytes on x86). It leads to leaking of > contents of kernel stack memory. I don't think most of the fields are uninitialized... we have: memset(&qp_attr, 0, sizeof qp_attr); and then later on, ib_copy_qp_attr_to_user(&resp, &qp_attr); which actually does initialize almost all of the fields in resp. The things that are missing are clearing out the reserved fields in the structures, and also resp.qp_state never gets set. I would suggest adding code to clear the reserved fields of structures to ib_copy_qp_attr_to_user() and ib_copy_ah_attr_to_user(), since this will fix what looks to be the same problem in ucma_init_qp_attr() (in drivers/infiniband/core/ucma.c). Sean, what is intended for qp_state handling here? It seems ib_copy_qp_attr_to_user() should either clear it or set it to something sensible. - R.