[Bug 210973] New: info leaks in all kernel versions including android

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

* [Bug 210973] New: info leaks in all kernel versions including android
@ 2020-12-30 22:50 bugzilla-daemon
  2020-12-31  6:57 ` Leon Romanovsky
  0 siblings, 1 reply; 2+ messages in thread
From: bugzilla-daemon @ 2020-12-30 22:50 UTC (permalink / raw
  To: linux-rdma

https://bugzilla.kernel.org/show_bug.cgi?id=210973

            Bug ID: 210973
           Summary: info leaks in all kernel versions including android
           Product: Drivers
           Version: 2.5
    Kernel Version: latest
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: Infiniband/RDMA
          Assignee: drivers_infiniband-rdma@kernel-bugs.osdl.org
          Reporter: fxast243@gmail.com
        Regression: No

While I audit android kernel source code , I noticed that there is an
Uninitialized data which could lead to info leak in ib_uverbs_create_ah
function. I download the source code from here 
https://android.googlesource.com/kernel/common. Also it exists in the
linux-masters

https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408


# BUG
resp.ah_handle = uobj->id;
return uverbs_response(attrs, &resp, sizeof(resp));


# 1
static int ib_uverbs_create_ah(struct uverbs_attr_bundle *attrs)
{
        struct ib_uverbs_create_ah       cmd;
        struct ib_uverbs_create_ah_resp  resp; <== point to ah_handle and
driver_data
        struct ib_uobject               *uobj;
        struct ib_pd                    *pd;
        struct ib_ah                    *ah;
        struct rdma_ah_attr             attr = {};
        int ret;
        struct ib_device *ib_dev;

        ret = uverbs_request(attrs, &cmd, sizeof(cmd));
        if (ret)
                ret

..etc



        ah->uobject  = uobj;
        uobj->user_handle = cmd.user_handle;
        uobj->object = ah;
        uobj_put_obj_read(pd);
        uobj_finalize_uobj_create(uobj, attrs);

        resp.ah_handle = uobj->id; <==
      //  __u32 driver_data[0];  <== ??? Uninitialized data.
        return uverbs_response(attrs, &resp, sizeof(resp)); <== memoey leaks



//include/uapi/rdma/ib_user_verbs.h


struct ib_uverbs_create_ah_resp {
        __u32 ah_handle;
        __u32 driver_data[0];
};



static int uverbs_response(struct uverbs_attr_bundle *attrs, const void *resp,
                           size_t resp_len)
{
        int ret;

        if (uverbs_attr_is_valid(attrs, UVERBS_ATTR_CORE_OUT))
                return uverbs_copy_to_struct_or_zero(
                        attrs, UVERBS_ATTR_CORE_OUT, resp, resp_len);

        if (copy_to_user(attrs->ucore.outbuf, resp,
                         min(attrs->ucore.outlen, resp_len))) <== copy data to
userspace
                return -EFAULT;

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Bug 210973] New: info leaks in all kernel versions including android
  2020-12-30 22:50 [Bug 210973] New: info leaks in all kernel versions including android bugzilla-daemon
@ 2020-12-31  6:57 ` Leon Romanovsky
  0 siblings, 0 replies; 2+ messages in thread
From: Leon Romanovsky @ 2020-12-31  6:57 UTC (permalink / raw
  To: bugzilla-daemon; +Cc: linux-rdma

On Wed, Dec 30, 2020 at 10:50:43PM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=210973
>
>             Bug ID: 210973
>            Summary: info leaks in all kernel versions including android
>            Product: Drivers
>            Version: 2.5
>     Kernel Version: latest
>           Hardware: All
>                 OS: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: high
>           Priority: P1
>          Component: Infiniband/RDMA
>           Assignee: drivers_infiniband-rdma@kernel-bugs.osdl.org
>           Reporter: fxast243@gmail.com
>         Regression: No
>
> While I audit android kernel source code , I noticed that there is an
> Uninitialized data which could lead to info leak in ib_uverbs_create_ah
> function. I download the source code from here
> https://android.googlesource.com/kernel/common. Also it exists in the
> linux-masters
>
> https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408
>
>
> # BUG
> resp.ah_handle = uobj->id;
> return uverbs_response(attrs, &resp, sizeof(resp));


Thanks for the report.

There is no info leak here because according to the C99 standard if flexible
array doesn't have members, it will be treated as non-existent for the struct
size calculations.

In our case sizeof(u32) == sizeof(struct ib_uverbs_create_ah_resp) and
not sizeof(u32) + sizeof(u32) as you wrote.

See 6.7.2.1 Structureand union specifiers, item 16 for more info.

Thanks


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-12-31  6:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-30 22:50 [Bug 210973] New: info leaks in all kernel versions including android bugzilla-daemon
2020-12-31  6:57 ` Leon Romanovsky

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.