From: Roland Dreier <rdreier@cisco.com>
To: Vasiliy Kulikov <segooon@gmail.com>
Cc: kernel-janitors@vger.kernel.org,
Roland Dreier <rolandd@cisco.com>,
Sean Hefty <sean.hefty@intel.com>,
Hal Rosenstock <hal.rosenstock@gmail.com>,
Alex Chiang <achiang@hp.com>, Andi Kleen <ak@linux.intel.com>,
Greg Kroah-Hartman <gregkh@suse.de>, Julia Lawall <julia@diku.dk>,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] infiniband: core: fix information leak to userland
Date: Wed, 10 Nov 2010 16:01:08 -0800 [thread overview]
Message-ID: <ada39r8ohiz.fsf@cisco.com> (raw)
In-Reply-To: <1289054481-18145-1-git-send-email-segooon@gmail.com> (Vasiliy Kulikov's message of "Sat, 6 Nov 2010 17:41:20 +0300")
> Structure ib_uverbs_qp_attr is copied to userland with allmost all
> fields uninitialized (140 bytes on x86). It leads to leaking of
> contents of kernel stack memory.
I don't think most of the fields are uninitialized... we have:
memset(&qp_attr, 0, sizeof qp_attr);
and then later on,
ib_copy_qp_attr_to_user(&resp, &qp_attr);
which actually does initialize almost all of the fields in resp. The
things that are missing are clearing out the reserved fields in the
structures, and also resp.qp_state never gets set.
I would suggest adding code to clear the reserved fields of structures
to ib_copy_qp_attr_to_user() and ib_copy_ah_attr_to_user(), since this
will fix what looks to be the same problem in ucma_init_qp_attr() (in
drivers/infiniband/core/ucma.c).
Sean, what is intended for qp_state handling here? It seems
ib_copy_qp_attr_to_user() should either clear it or set it to something
sensible.
- R.
next prev parent reply other threads:[~2010-11-11 0:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-06 14:41 [PATCH] infiniband: core: fix information leak to userland Vasiliy Kulikov
2010-11-11 0:01 ` Roland Dreier [this message]
2010-11-11 0:39 ` Hefty, Sean
2010-11-12 18:08 ` Vasiliy Kulikov
2010-11-12 18:28 ` Hefty, Sean
2010-11-14 9:22 ` [PATCH v2] infiniband: core: fix information leak to userspace Vasiliy Kulikov
2010-12-02 0:33 ` Roland Dreier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ada39r8ohiz.fsf@cisco.com \
--to=rdreier@cisco.com \
--cc=achiang@hp.com \
--cc=ak@linux.intel.com \
--cc=gregkh@suse.de \
--cc=hal.rosenstock@gmail.com \
--cc=julia@diku.dk \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=rolandd@cisco.com \
--cc=sean.hefty@intel.com \
--cc=segooon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox