[patch] gru: info leak in gru_get_config_info()

[patch] gru: info leak in gru_get_config_info()

[Dan Carpenter]

The "info.fill" array isn't initialized so it can leak uninitialized
stack information to user space.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
index 44d273c..ed5fc43 100644
--- a/drivers/misc/sgi-gru/grufile.c
+++ b/drivers/misc/sgi-gru/grufile.c
@@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
 	info.nodes = num_online_nodes();
 	info.blades = info.nodes / nodesperblade;
 	info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
+	memset(&info.fill, 0, sizeof(info.fill));
 
 	if (copy_to_user((void __user *)arg, &info, sizeof(info)))
 		return -EFAULT;

Re: [patch] gru: info leak in gru_get_config_info()

[walter harms]

Am 21.04.2013 13:10, schrieb Dan Carpenter:
> The "info.fill" array isn't initialized so it can leak uninitialized
> stack information to user space.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> index 44d273c..ed5fc43 100644
> --- a/drivers/misc/sgi-gru/grufile.c
> +++ b/drivers/misc/sgi-gru/grufile.c
> @@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
>  	info.nodes = num_online_nodes();
>  	info.blades = info.nodes / nodesperblade;
>  	info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
> +	memset(&info.fill, 0, sizeof(info.fill));
>  

the other way around (clear first all bytes) looks more easy
in case someone will add more elements to the struct.

memset(&info, 0, sizeof(info));
info.nodes = num_online_nodes();
info.blades = info.nodes / nodesperblade;
....

re,
 wh


>  	if (copy_to_user((void __user *)arg, &info, sizeof(info)))
>  		return -EFAULT;
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [patch] gru: info leak in gru_get_config_info()

[Robin Holt]

On Sun, Apr 21, 2013 at 01:56:57PM +0200, walter harms wrote:
> 
> 
> Am 21.04.2013 13:10, schrieb Dan Carpenter:
> > The "info.fill" array isn't initialized so it can leak uninitialized
> > stack information to user space.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > 
> > diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> > index 44d273c..ed5fc43 100644
> > --- a/drivers/misc/sgi-gru/grufile.c
> > +++ b/drivers/misc/sgi-gru/grufile.c
> > @@ -176,6 +176,7 @@ static long gru_get_config_info(unsigned long arg)
> >  	info.nodes = num_online_nodes();
> >  	info.blades = info.nodes / nodesperblade;
> >  	info.chiplets = GRU_CHIPLETS_PER_BLADE * info.blades;
> > +	memset(&info.fill, 0, sizeof(info.fill));
> >  
> 
> the other way around (clear first all bytes) looks more easy
> in case someone will add more elements to the struct.
> 
> memset(&info, 0, sizeof(info));
> info.nodes = num_online_nodes();
> info.blades = info.nodes / nodesperblade;

That does seem more safe.

Robin

[patch v2] gru: info leak in gru_get_config_info()

[Dan Carpenter]

The "info.fill" array isn't initialized so it can leak uninitialized
stack information to user space.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: style changes

diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
index 44d273c..0535d1e 100644
--- a/drivers/misc/sgi-gru/grufile.c
+++ b/drivers/misc/sgi-gru/grufile.c
@@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
 		nodesperblade = 2;
 	else
 		nodesperblade = 1;
+	memset(&info, 0, sizeof(info));
 	info.cpus = num_online_cpus();
 	info.nodes = num_online_nodes();
 	info.blades = info.nodes / nodesperblade;

Re: [patch v2] gru: info leak in gru_get_config_info()

[Dimitri Sivanich]

Acked-by: Dimitri Sivanich <sivanich@sgi.com>

On Sun, Apr 21, 2013 at 08:01:07PM +0300, Dan Carpenter wrote:
> The "info.fill" array isn't initialized so it can leak uninitialized
> stack information to user space.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: style changes
> 
> diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> index 44d273c..0535d1e 100644
> --- a/drivers/misc/sgi-gru/grufile.c
> +++ b/drivers/misc/sgi-gru/grufile.c
> @@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
>  		nodesperblade = 2;
>  	else
>  		nodesperblade = 1;
> +	memset(&info, 0, sizeof(info));
>  	info.cpus = num_online_cpus();
>  	info.nodes = num_online_nodes();
>  	info.blades = info.nodes / nodesperblade;

Re: [patch v2] gru: info leak in gru_get_config_info()

[Robin Holt]

Acked-by: Robin Holt <holt@sgi.com>
On Sun, Apr 21, 2013 at 12:33:34PM -0500, Dimitri Sivanich wrote:
> Acked-by: Dimitri Sivanich <sivanich@sgi.com>
> 
> On Sun, Apr 21, 2013 at 08:01:07PM +0300, Dan Carpenter wrote:
> > The "info.fill" array isn't initialized so it can leak uninitialized
> > stack information to user space.
> > 
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > v2: style changes
> > 
> > diff --git a/drivers/misc/sgi-gru/grufile.c b/drivers/misc/sgi-gru/grufile.c
> > index 44d273c..0535d1e 100644
> > --- a/drivers/misc/sgi-gru/grufile.c
> > +++ b/drivers/misc/sgi-gru/grufile.c
> > @@ -172,6 +172,7 @@ static long gru_get_config_info(unsigned long arg)
> >  		nodesperblade = 2;
> >  	else
> >  		nodesperblade = 1;
> > +	memset(&info, 0, sizeof(info));
> >  	info.cpus = num_online_cpus();
> >  	info.nodes = num_online_nodes();
> >  	info.blades = info.nodes / nodesperblade;
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/