* [Bug 210973] New: info leaks in all kernel versions including android
@ 2020-12-30 22:50 bugzilla-daemon
2020-12-31 6:57 ` Leon Romanovsky
0 siblings, 1 reply; 2+ messages in thread
From: bugzilla-daemon @ 2020-12-30 22:50 UTC (permalink / raw
To: linux-rdma
https://bugzilla.kernel.org/show_bug.cgi?id=210973
Bug ID: 210973
Summary: info leaks in all kernel versions including android
Product: Drivers
Version: 2.5
Kernel Version: latest
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: Infiniband/RDMA
Assignee: drivers_infiniband-rdma@kernel-bugs.osdl.org
Reporter: fxast243@gmail.com
Regression: No
While I audit android kernel source code , I noticed that there is an
Uninitialized data which could lead to info leak in ib_uverbs_create_ah
function. I download the source code from here
https://android.googlesource.com/kernel/common. Also it exists in the
linux-masters
https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408
# BUG
resp.ah_handle = uobj->id;
return uverbs_response(attrs, &resp, sizeof(resp));
# 1
static int ib_uverbs_create_ah(struct uverbs_attr_bundle *attrs)
{
struct ib_uverbs_create_ah cmd;
struct ib_uverbs_create_ah_resp resp; <== point to ah_handle and
driver_data
struct ib_uobject *uobj;
struct ib_pd *pd;
struct ib_ah *ah;
struct rdma_ah_attr attr = {};
int ret;
struct ib_device *ib_dev;
ret = uverbs_request(attrs, &cmd, sizeof(cmd));
if (ret)
ret
..etc
ah->uobject = uobj;
uobj->user_handle = cmd.user_handle;
uobj->object = ah;
uobj_put_obj_read(pd);
uobj_finalize_uobj_create(uobj, attrs);
resp.ah_handle = uobj->id; <==
// __u32 driver_data[0]; <== ??? Uninitialized data.
return uverbs_response(attrs, &resp, sizeof(resp)); <== memoey leaks
//include/uapi/rdma/ib_user_verbs.h
struct ib_uverbs_create_ah_resp {
__u32 ah_handle;
__u32 driver_data[0];
};
static int uverbs_response(struct uverbs_attr_bundle *attrs, const void *resp,
size_t resp_len)
{
int ret;
if (uverbs_attr_is_valid(attrs, UVERBS_ATTR_CORE_OUT))
return uverbs_copy_to_struct_or_zero(
attrs, UVERBS_ATTR_CORE_OUT, resp, resp_len);
if (copy_to_user(attrs->ucore.outbuf, resp,
min(attrs->ucore.outlen, resp_len))) <== copy data to
userspace
return -EFAULT;
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Bug 210973] New: info leaks in all kernel versions including android
2020-12-30 22:50 [Bug 210973] New: info leaks in all kernel versions including android bugzilla-daemon
@ 2020-12-31 6:57 ` Leon Romanovsky
0 siblings, 0 replies; 2+ messages in thread
From: Leon Romanovsky @ 2020-12-31 6:57 UTC (permalink / raw
To: bugzilla-daemon; +Cc: linux-rdma
On Wed, Dec 30, 2020 at 10:50:43PM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=210973
>
> Bug ID: 210973
> Summary: info leaks in all kernel versions including android
> Product: Drivers
> Version: 2.5
> Kernel Version: latest
> Hardware: All
> OS: Linux
> Tree: Mainline
> Status: NEW
> Severity: high
> Priority: P1
> Component: Infiniband/RDMA
> Assignee: drivers_infiniband-rdma@kernel-bugs.osdl.org
> Reporter: fxast243@gmail.com
> Regression: No
>
> While I audit android kernel source code , I noticed that there is an
> Uninitialized data which could lead to info leak in ib_uverbs_create_ah
> function. I download the source code from here
> https://android.googlesource.com/kernel/common. Also it exists in the
> linux-masters
>
> https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408
>
>
> # BUG
> resp.ah_handle = uobj->id;
> return uverbs_response(attrs, &resp, sizeof(resp));
Thanks for the report.
There is no info leak here because according to the C99 standard if flexible
array doesn't have members, it will be treated as non-existent for the struct
size calculations.
In our case sizeof(u32) == sizeof(struct ib_uverbs_create_ah_resp) and
not sizeof(u32) + sizeof(u32) as you wrote.
See 6.7.2.1 Structureand union specifiers, item 16 for more info.
Thanks
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-31 6:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-12-30 22:50 [Bug 210973] New: info leaks in all kernel versions including android bugzilla-daemon
2020-12-31 6:57 ` Leon Romanovsky
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.