From patchwork Tue Jul 9 15:05:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yang Yingliang X-Patchwork-Id: 11037119 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 71DE113A4 for ; Tue, 9 Jul 2019 15:05:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 586C8287E9 for ; Tue, 9 Jul 2019 15:05:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 42C8A28807; Tue, 9 Jul 2019 15:05:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BE901286FF for ; Tue, 9 Jul 2019 15:05:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Date:Message-ID:Subject:From:To: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=+LRbmFiBUHozZjuvef53G9v4QpKTvdVhgQMaNGk/5NU=; b=DyLkdzxWSWOovqJDwSuOxJZH+G 9Tw59GiimuIr3x0EFrEPjJZ3xWkwyGlf7szdj/Mg040jEywLfi34jhQD452AR2949QlNFKv23LVmf W9O+rKuOXFoyHAD8jzynOCQ89+5GWNVy/VUPsBHBCITbWT2YV5e+e2dHiHwQ8/juG0jTolIFfVw5J YsmM9ZN27XAWPfYLuUKwXfeC4jCUwyJl1UAJTq3t5Pf9XpE/L2Gw2bsCiqzxio6w/RJumV6IrdIiN 3kQAZnNPY+TMckXp1/Z4NlfDXkS7l/cCvqf1DUZvsCm8PLQWpCTSqkSfowFngo4zq/991am75mq0D /3xJ3OoQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hkrgi-0004sC-BI; Tue, 09 Jul 2019 15:05:48 +0000 Received: from szxga05-in.huawei.com ([45.249.212.191] helo=huawei.com) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hkrgf-0004rJ-FZ for linux-arm-kernel@lists.infradead.org; Tue, 09 Jul 2019 15:05:47 +0000 Received: from DGGEMS408-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 7F57BC8D65A32B1F0F0F; Tue, 9 Jul 2019 23:05:25 +0800 (CST) Received: from [127.0.0.1] (10.133.205.80) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.439.0; Tue, 9 Jul 2019 23:05:18 +0800 To: From: Yang Yingliang Subject: Could info leak in preserve_iwmmxt_context() ? Message-ID: <5D24AD2E.8080102@huawei.com> Date: Tue, 9 Jul 2019 23:05:18 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 X-Originating-IP: [10.133.205.80] X-CFilter-Loop: Reflected X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190709_080545_771261_09CE7A4B X-CRM114-Status: UNSURE ( 6.57 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "linux-arm-kernel@lists.infradead.org" , Hanjun Guo Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Hi, Julien In this commit 73839798af7e ("ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context"): * For bug-compatibility with older kernels, some space @@ -86,10 +84,14 @@ static int preserve_iwmmxt_context(struct iwmmxt_sigframe __user *frame) * Set the magic and size appropriately so that properly * written userspace can skip it reliably: */ - __put_user_error(DUMMY_MAGIC, &frame->magic, err); - __put_user_error(IWMMXT_STORAGE_SIZE, &frame->size, err); + *kframe = (struct iwmmxt_sigframe) { + .magic = DUMMY_MAGIC, + .size = IWMMXT_STORAGE_SIZE, + }; The storage member of kframe is uninitialized, it seems will lead a info leak to userspace ? In section 2.4.2.3 Initializing Structure Members of gnu-c-manual, it has no specific behavior to define the uninitialized member. Please correct me if I am wrong. } + err = __copy_to_user(frame, kframe, sizeof(*kframe)); + Thanks, Yang --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -77,8 +77,6 @@ static int preserve_iwmmxt_context(struct iwmmxt_sigframe __user *frame) kframe->magic = IWMMXT_MAGIC; kframe->size = IWMMXT_STORAGE_SIZE; iwmmxt_task_copy(current_thread_info(), &kframe->storage); - - err = __copy_to_user(frame, kframe, sizeof(*frame)); } else { /*