On Sat, 2019-10-26 at 17:24 +0300, Dan Carpenter wrote:
> On Sat, Oct 26, 2019 at 03:54:16PM +0800, zhanglin wrote:
> > memset() the structure ethtool_wolinfo that has padded bytes
> > but the padded bytes have not been zeroed out.
[]
> > diff --git a/net/core/ethtool.c b/net/core/ethtool.c
[]
> > @@ -1471,11 +1471,13 @@ static int ethtool_reset(struct net_device *dev, char __user *useraddr)
> >
> > static int ethtool_get_wol(struct net_device *dev, char __user *useraddr)
> > {
> > - struct ethtool_wolinf wol = { .cmd = ETHTOOL_GWOL };
> > + struct ethtool_wolinfo wol;
> >
>
> How did you detect that they weren't initialized? Is this a KASAN
> thing?
>
> Most of the time GCC will zero out the padding bytes when you have an
> initializer like this, but sometimes it just makes the intialization a
> series of assignments which leaves the holes uninitialized. I wish I
> knew the rules so that I could check for it in Smatch. Or even better,
> I wish that there were an option to always zero the holes in this
> situation...
The standard doesn't specify what happens to the padding so
it's not just for gcc, it's compiler dependent.
So anything that's used in a copy_to_user with any possible
padding should either be zalloc'd or memset before assigned.
In this case:
include/uapi/linux/ethtool.h:#define SOPASS_MAX 6
and
include/uapi/linux/ethtool.h:struct ethtool_wolinfo {
include/uapi/linux/ethtool.h- __u32 cmd;
include/uapi/linux/ethtool.h- __u32 supported;
include/uapi/linux/ethtool.h- __u32 wolopts;
include/uapi/linux/ethtool.h- __u8 sopass[SOPASS_MAX];
include/uapi/linux/ethtool.h-};
so there's likely a couple bytes of trailing padding.
