| Message ID | 20230324010658.1082361-1-tzungbi@kernel.org (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | b20cf3f89c56b5f6a38b7f76a8128bf9f291bbd3 |
| Headers | show |
| Series | platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl | expand |
On Thu, Mar 23, 2023 at 6:07 PM Tzung-Bi Shih <tzungbi@kernel.org> wrote: > > It is possible to peep kernel page's data by providing larger `insize` > in struct cros_ec_command[1] when invoking EC host commands. > > Fix it by using zeroed memory. > > [1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74 > > Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") > Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> > --- > drivers/platform/chrome/cros_ec_chardev.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c > index 0de7c255254e..d6de5a294128 100644 > --- a/drivers/platform/chrome/cros_ec_chardev.c > +++ b/drivers/platform/chrome/cros_ec_chardev.c > @@ -284,7 +284,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) > u_cmd.insize > EC_MAX_MSG_BYTES) > return -EINVAL; > > - s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), > + s_cmd = kzalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), > GFP_KERNEL); > if (!s_cmd) > return -ENOMEM; > -- > 2.40.0.348.gf938b09366-goog >
Hello: This patch was applied to chrome-platform/linux.git (for-kernelci) by Tzung-Bi Shih <tzungbi@kernel.org>: On Fri, 24 Mar 2023 09:06:58 +0800 you wrote: > It is possible to peep kernel page's data by providing larger `insize` > in struct cros_ec_command[1] when invoking EC host commands. > > Fix it by using zeroed memory. > > [1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74 > > [...] Here is the summary with links: - platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl https://git.kernel.org/chrome-platform/c/b20cf3f89c56 You are awesome, thank you!
Hello: This patch was applied to chrome-platform/linux.git (for-next) by Tzung-Bi Shih <tzungbi@kernel.org>: On Fri, 24 Mar 2023 09:06:58 +0800 you wrote: > It is possible to peep kernel page's data by providing larger `insize` > in struct cros_ec_command[1] when invoking EC host commands. > > Fix it by using zeroed memory. > > [1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74 > > [...] Here is the summary with links: - platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl https://git.kernel.org/chrome-platform/c/b20cf3f89c56 You are awesome, thank you!
diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c index 0de7c255254e..d6de5a294128 100644 --- a/drivers/platform/chrome/cros_ec_chardev.c +++ b/drivers/platform/chrome/cros_ec_chardev.c @@ -284,7 +284,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg) u_cmd.insize > EC_MAX_MSG_BYTES) return -EINVAL; - s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), + s_cmd = kzalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize), GFP_KERNEL); if (!s_cmd) return -ENOMEM;
It is possible to peep kernel page's data by providing larger `insize` in struct cros_ec_command[1] when invoking EC host commands. Fix it by using zeroed memory. [1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74 Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> --- drivers/platform/chrome/cros_ec_chardev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)