From: bugzilla-daemon@bugzilla.kernel.org
To: linux-rdma@vger.kernel.org
Subject: [Bug 210973] New: info leaks in all kernel versions including android
Date: Wed, 30 Dec 2020 22:50:43 +0000 [thread overview]
Message-ID: <bug-210973-11804@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=210973
Bug ID: 210973
Summary: info leaks in all kernel versions including android
Product: Drivers
Version: 2.5
Kernel Version: latest
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: Infiniband/RDMA
Assignee: drivers_infiniband-rdma@kernel-bugs.osdl.org
Reporter: fxast243@gmail.com
Regression: No
While I audit android kernel source code , I noticed that there is an
Uninitialized data which could lead to info leak in ib_uverbs_create_ah
function. I download the source code from here
https://android.googlesource.com/kernel/common. Also it exists in the
linux-masters
https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408
# BUG
resp.ah_handle = uobj->id;
return uverbs_response(attrs, &resp, sizeof(resp));
# 1
static int ib_uverbs_create_ah(struct uverbs_attr_bundle *attrs)
{
struct ib_uverbs_create_ah cmd;
struct ib_uverbs_create_ah_resp resp; <== point to ah_handle and
driver_data
struct ib_uobject *uobj;
struct ib_pd *pd;
struct ib_ah *ah;
struct rdma_ah_attr attr = {};
int ret;
struct ib_device *ib_dev;
ret = uverbs_request(attrs, &cmd, sizeof(cmd));
if (ret)
ret
..etc
ah->uobject = uobj;
uobj->user_handle = cmd.user_handle;
uobj->object = ah;
uobj_put_obj_read(pd);
uobj_finalize_uobj_create(uobj, attrs);
resp.ah_handle = uobj->id; <==
// __u32 driver_data[0]; <== ??? Uninitialized data.
return uverbs_response(attrs, &resp, sizeof(resp)); <== memoey leaks
//include/uapi/rdma/ib_user_verbs.h
struct ib_uverbs_create_ah_resp {
__u32 ah_handle;
__u32 driver_data[0];
};
static int uverbs_response(struct uverbs_attr_bundle *attrs, const void *resp,
size_t resp_len)
{
int ret;
if (uverbs_attr_is_valid(attrs, UVERBS_ATTR_CORE_OUT))
return uverbs_copy_to_struct_or_zero(
attrs, UVERBS_ATTR_CORE_OUT, resp, resp_len);
if (copy_to_user(attrs->ucore.outbuf, resp,
min(attrs->ucore.outlen, resp_len))) <== copy data to
userspace
return -EFAULT;
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2020-12-30 22:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-30 22:50 bugzilla-daemon [this message]
2020-12-31 6:57 ` [Bug 210973] New: info leaks in all kernel versions including android Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-210973-11804@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-rdma@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox