From: Dan Carpenter <dan.carpenter@oracle.com>
To: Eli Cohen <eli@dev.mellanox.co.il>
Cc: Eli Cohen <eli@mellanox.com>, Roland Dreier <roland@kernel.org>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
linux-rdma@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] IB/mlx5: stack info leak in mlx5_ib_alloc_ucontext()
Date: Sun, 28 Jul 2013 23:24:43 +0300 [thread overview]
Message-ID: <20130728202323.GA5053@mwanda> (raw)
In-Reply-To: <20130728072336.GB29427@mtldesk30>
On Sun, Jul 28, 2013 at 10:23:36AM +0300, Eli Cohen wrote:
> On Thu, Jul 25, 2013 at 08:04:36PM +0300, Dan Carpenter wrote:
> > We don't set "resp.reserved". Since it's at the end of the struct that
> > means we don't have to copy it to the user.
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
> > diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
> > index 8000fff..43dfb84 100644
> > --- a/drivers/infiniband/hw/mlx5/main.c
> > +++ b/drivers/infiniband/hw/mlx5/main.c
> > @@ -619,7 +619,8 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev,
> >
> > resp.tot_uuars = req.total_num_uuars;
> > resp.num_ports = dev->mdev.caps.num_ports;
> > - err = ib_copy_to_udata(udata, &resp, sizeof(resp));
> > + err = ib_copy_to_udata(udata, &resp,
> > + sizeof(resp) - sizeof(resp.reserved));
> > if (err)
> > goto out_uars;
> >
>
> I don't have strong opinion on this one. The title of the patch is
> stack info leak but the only leak of a reserved field. Other opinions?
First let me say that I don't know how this code is called, it may
be root only, but even in that case I think it's still worth
applying my patch.
These info leak problems are a well known security problem so I
didn't put a long explanation. What you do is you fill the stack
with function pointers, then you call the function that leaks. Then
you have a potentially useful pointer which was supposed to be
secret. Something like that anyway.
There are probably lots of other easier ways to defeat address space
randomization. There may be other ways you can use info leaks as
well...
Anyway, regardless, static checkers and code auditors look for these
leaks so applying the patch makes sense just to silence a warning.
regards,
dan carpenter
next prev parent reply other threads:[~2013-07-28 20:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-25 17:04 [patch] IB/mlx5: stack info leak in mlx5_ib_alloc_ucontext() Dan Carpenter
2013-07-28 7:23 ` Eli Cohen
2013-07-28 20:24 ` Dan Carpenter [this message]
2013-07-29 12:02 ` Eli Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130728202323.GA5053@mwanda \
--to=dan.carpenter@oracle.com \
--cc=eli@dev.mellanox.co.il \
--cc=eli@mellanox.com \
--cc=hal.rosenstock@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=roland@kernel.org \
--cc=sean.hefty@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox