From: Sitsofe Wheeler <sitsofe@yahoo.com>
To: Ingo Molnar <mingo@elte.hu>, Vegard Nossum <vegardno@ifi.uio.no>
Cc: Dave Airlie <airlied@redhat.com>,
Pekka Enberg <penberg@cs.helsinki.fi>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drm: fix leak of uninitialized data to userspace (acpi_system_read_event)
Date: Fri, 10 Oct 2008 06:26:43 -0700 (PDT) [thread overview]
Message-ID: <126003.45052.qm@web38204.mail.mud.yahoo.com> (raw)
> From: Ingo Molnar <mingo@elte.hu>
>
> * Vegard Nossum wrote:
>
> > ...so it seems that dev->unique is never updated to reflect the
> > actual length of the string. The remaining bytes (20 in this case)
> > are random uninitialized bytes that are copied into userspace.
> >
> > This patch fixes the problem by setting dev->unique_len after the
> > snprintf().
> >
> > Completely untested.
> >
> > Reported-by: Sitsofe Wheeler
> > Signed-off-by: Vegard Nossum
>
> i've stuck it into the tip/out-of-tree quick-fixes branch.
>
> Sitsofe, could you please check very latest tip/master with
> CONFIG_KMEMCHECK=y, does it find any other uninitialized memory access?
No other uninitialized memory access so far (although having kmemcheck on does seem to provoke rcu stall warnings)...
...I take it back. This just turned up:
[ 992.417019] WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (f2363d14)
[ 992.417033] 000110000002200061635f61646170746572000000000000cc2c030041433000
[ 992.417077] i i i i i i i i i i i i i i i i i i i u u u u u u u u u i i i i
[ 992.417117] ^
[ 992.417121]
[ 992.417127] Pid: 1893, comm: acpid Not tainted (2.6.27-tipskw-00088-g9f41241-dirty #84) 900
[ 992.417134] EIP: 0060:[<c025fbdd>] EFLAGS: 00000286 CPU: 0
[ 992.417147] EIP is at acpi_bus_receive_event+0xd6/0x109
[ 992.417153] EAX: 00054489 EBX: f2363d00 ECX: 00000006 EDX: ffffffed
[ 992.417158] ESI: f2363d14 EDI: f6057f28 EBP: f6057f08 ESP: c0566d68
[ 992.417164] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 992.417169] CR0: 8005003b CR2: f6671034 CR3: 360ea000 CR4: 000006c0
[ 992.417175] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 992.417180] DR6: ffff4ff0 DR7: 00000400
[ 992.417184] [<c026b86f>] acpi_system_read_event+0x49/0xc5
[ 992.417195] [<c01b2381>] proc_reg_read+0x61/0x90
[ 992.417206] [<c017efb5>] vfs_read+0x95/0x120
[ 992.417215] [<c017f5f2>] sys_read+0x42/0x70
[ 992.417222] [<c010336d>] sysenter_do_call+0x12/0x35
[ 992.417230] [<ffffffff>] 0xffffffff
next reply other threads:[~2008-10-10 13:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-10 13:26 Sitsofe Wheeler [this message]
2008-10-10 14:37 ` [PATCH] drm: fix leak of uninitialized data to userspace (acpi_system_read_event) Ingo Molnar
2008-10-10 15:26 ` Vegard Nossum
2008-10-10 15:32 ` Ingo Molnar
-- strict thread matches above, loose matches on Subject: below --
2008-10-11 7:55 Sitsofe Wheeler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=126003.45052.qm@web38204.mail.mud.yahoo.com \
--to=sitsofe@yahoo.com \
--cc=airlied@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=penberg@cs.helsinki.fi \
--cc=vegardno@ifi.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox