Re: [Linux-kernel-mentees] [PATCH net] rds: Prevent kernel-infoleak in rds_notify_queue_get()
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2020-07-31 11:59:25
Also in:
linux-rdma, lkml, netdev
On Fri, Jul 31, 2020 at 01:14:09PM +0200, Håkon Bugge wrote:
quoted
On 31 Jul 2020, at 11:59, Dan Carpenter [off-list ref] wrote: On Fri, Jul 31, 2020 at 07:53:01AM +0300, Leon Romanovsky wrote:quoted
On Thu, Jul 30, 2020 at 03:20:26PM -0400, Peilin Ye wrote:quoted
rds_notify_queue_get() is potentially copying uninitialized kernel stack memory to userspace since the compiler may leave a 4-byte hole at the end of `cmsg`. In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which unfortunately does not always initialize that 4-byte hole. Fix it by using memset() instead.Of course, this is the difference between "{ 0 }" and "{}" initializations.No, there is no difference. Even struct assignments like: foo = *bar; can leave struct holes uninitialized. Depending on the compiler the assignment can be implemented as a memset() or as a series of struct member assignments.What about: struct rds_rdma_notify { __u64 user_token; __s32 status; } __attribute__((packed));
Why is this still a discussion at all? Try it and see, run pahole and see if there are holes in this structure (odds are no), you don't need us to say what is happening here... thanks, greg k-h _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees