[Linux-kernel-mentees] [PATCH v3] media/v4l2-core: Fix kernel-infoleak in video_put_user()

Arnd Bergmann arnd at arndb.de
Tue Jul 28 13:58:21 UTC 2020


On Tue, Jul 28, 2020 at 3:06 PM Dan Carpenter <dan.carpenter at oracle.com> wrote:
>
> On Tue, Jul 28, 2020 at 02:22:29PM +0200, Linus Walleij wrote:
> > On Mon, Jul 27, 2020 at 3:17 PM Dan Carpenter <dan.carpenter at oracle.com> wrote:
> >
> > > Here are my latest warnings on linux-next from Friday.
> >
> > Thanks for sharing this Dan, very interesting findings.
> >
> > > drivers/gpio/gpiolib-cdev.c:473 lineevent_read() warn: check that 'ge' doesn't leak information (struct has a hole after 'id')
> >
> > We are revamping the ABI for 64bit compatibility so we are now running
> > pahole on our stuff. I suppose we need to think about mending this old ABI
> > as well.
>
> Yeah...  But this one is a false positive.  It's not super hard for me
> to silence it actually.  I'll take care of it.  It could be a while
> before I push this to the public repository though...

The lineevent_read() function still needs to be fixed to support
32-bit compat mode on x86, which is independent of the warning.

Something like

static int lineevent_put_data(void __user *uptr, struct gpioevent_data *ge)
{
#ifdef __x86_64__
        /* i386 has no padding after 'id' */
        if (in_ia32_syscall()) {
                struct {
                        compat_u64      timestamp __packed;
                        u32             id;
                } compat_ge = { ge->timestamp, ge->id };

                if (copy_to_user(uptr, &compat_ge, sizeof(compat_ge)))
                        return -EFAULT;

                return sizeof(compat_ge);
        }
#endif

        if (copy_to_user(uptr, ge, sizeof(*ge))
                return -EFAULT;

        return sizeof(*ge);
}

       Arnd


More information about the Linux-kernel-mentees mailing list