From: Ingo Molnar <mingo@elte.hu>
To: Sitsofe Wheeler <sitsofe@yahoo.com>
Cc: Vegard Nossum <vegardno@ifi.uio.no>,
Dave Airlie <airlied@redhat.com>,
Pekka Enberg <penberg@cs.helsinki.fi>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drm: fix leak of uninitialized data to userspace (acpi_system_read_event)
Date: Fri, 10 Oct 2008 16:37:07 +0200 [thread overview]
Message-ID: <20081010143707.GC21104@elte.hu> (raw)
In-Reply-To: <126003.45052.qm@web38204.mail.mud.yahoo.com>
* Sitsofe Wheeler <sitsofe@yahoo.com> wrote:
> > From: Ingo Molnar <mingo@elte.hu>
>
> >
> > * Vegard Nossum wrote:
> >
> > > ...so it seems that dev->unique is never updated to reflect the
> > > actual length of the string. The remaining bytes (20 in this case)
> > > are random uninitialized bytes that are copied into userspace.
> > >
> > > This patch fixes the problem by setting dev->unique_len after the
> > > snprintf().
> > >
> > > Completely untested.
> > >
> > > Reported-by: Sitsofe Wheeler
> > > Signed-off-by: Vegard Nossum
> >
> > i've stuck it into the tip/out-of-tree quick-fixes branch.
> >
> > Sitsofe, could you please check very latest tip/master with
> > CONFIG_KMEMCHECK=y, does it find any other uninitialized memory access?
>
> No other uninitialized memory access so far (although having kmemcheck on does seem to provoke rcu stall warnings)...
>
> ...I take it back. This just turned up:
> [ 992.417019] WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (f2363d14)
> [ 992.417033] 000110000002200061635f61646170746572000000000000cc2c030041433000
> [ 992.417077] i i i i i i i i i i i i i i i i i i i u u u u u u u u u i i i i
> [ 992.417117] ^
> [ 992.417121]
> [ 992.417127] Pid: 1893, comm: acpid Not tainted (2.6.27-tipskw-00088-g9f41241-dirty #84) 900
> [ 992.417134] EIP: 0060:[<c025fbdd>] EFLAGS: 00000286 CPU: 0
> [ 992.417147] EIP is at acpi_bus_receive_event+0xd6/0x109
> [ 992.417153] EAX: 00054489 EBX: f2363d00 ECX: 00000006 EDX: ffffffed
> [ 992.417158] ESI: f2363d14 EDI: f6057f28 EBP: f6057f08 ESP: c0566d68
> [ 992.417164] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [ 992.417169] CR0: 8005003b CR2: f6671034 CR3: 360ea000 CR4: 000006c0
> [ 992.417175] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> [ 992.417180] DR6: ffff4ff0 DR7: 00000400
> [ 992.417184] [<c026b86f>] acpi_system_read_event+0x49/0xc5
> [ 992.417195] [<c01b2381>] proc_reg_read+0x61/0x90
> [ 992.417206] [<c017efb5>] vfs_read+0x95/0x120
> [ 992.417215] [<c017f5f2>] sys_read+0x42/0x70
> [ 992.417222] [<c010336d>] sysenter_do_call+0x12/0x35
> [ 992.417230] [<ffffffff>] 0xffffffff
this too could be a real bug i think, uncovered by kmemcheck. Vegard?
Ingo
next prev parent reply other threads:[~2008-10-10 14:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-10 13:26 [PATCH] drm: fix leak of uninitialized data to userspace (acpi_system_read_event) Sitsofe Wheeler
2008-10-10 14:37 ` Ingo Molnar [this message]
2008-10-10 15:26 ` Vegard Nossum
2008-10-10 15:32 ` Ingo Molnar
-- strict thread matches above, loose matches on Subject: below --
2008-10-11 7:55 Sitsofe Wheeler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081010143707.GC21104@elte.hu \
--to=mingo@elte.hu \
--cc=airlied@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penberg@cs.helsinki.fi \
--cc=sitsofe@yahoo.com \
--cc=vegardno@ifi.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox