From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751324AbdHDJUZ (ORCPT ); Fri, 4 Aug 2017 05:20:25 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:50399 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751285AbdHDJUY (ORCPT ); Fri, 4 Aug 2017 05:20:24 -0400 Date: Fri, 4 Aug 2017 11:20:17 +0200 From: Heiko Carstens To: Thomas Huth Cc: sohu0106 , schwidefsky@de.ibm.com, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: drivers/s390/char/keyboard.c kernel stack infoleak References: <116f735.aa23.15da864e94a.Coremail.sohu0106@126.com> <0b76e8f9-e1ea-da9e-23f2-92cdbd475ec9@tuxfamily.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0b76e8f9-e1ea-da9e-23f2-92cdbd475ec9@tuxfamily.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-TM-AS-GCONF: 00 x-cbid: 17080409-0020-0000-0000-000003AA1A5B X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17080409-0021-0000-0000-000042353BEE Message-Id: <20170804092017.GA3278@osiris> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-08-04_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708040140 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 04, 2017 at 11:09:24AM +0200, Thomas Huth wrote: > Hi, > > On 03.08.2017 15:59, sohu0106 wrote: > > > > The stack object "kbdiacr" has a total size of 4 bytes. Its last 1 bytes are padding bytes after "result" which are not initialized and leaked to userland via "copy_to_user". > > > > > > diff --git a/keyboard.c b/keyboard.c > > index ba0e4f9..76a6d35 100644 > > --- a/keyboard.c > > +++ b/keyboard.c > > @@ -480,6 +480,8 @@ int kbd_ioctl(struct kbd_data *kbd, unsigned int cmd, unsigned long arg) > > struct kbdiacr diacr; > > int i; > > > > + memset( &diacr, 0, sizeof(struct kbdiacr) ); > > + > > I think it would be nicer to simply init the struct with "= {}" > directly, i.e.: > > struct kbdiacr diacr = {}; > > And by the way, please have a look at the kernel patch submission > guidelines first, especially the COO part here: The patch doesn't make sense. There is no padding and therefore no information leak.