On Fri, Dec 08, 2023 at 09:00:59PM +0800, Xingyuan Mo wrote:
> This function may copy the pad0 field of struct hl_info_sec_attest to user
> mode which has not been initialized, resulting in leakage of kernel heap
> data to user mode. To prevent this, use kzalloc() to allocate and zero out
> the buffer, which can also eliminate other uninitilized holes, if any.
>
> Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi")
> Signed-off-by: Xingyuan Mo <hdthky0@xxxxxxxxx>
> ---
> drivers/accel/habanalabs/common/habanalabs_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/accel/habanalabs/common/habanalabs_ioctl.c b/drivers/accel/habanalabs/common/habanalabs_ioctl.c
> index 8ef36effb95b..a7cd625d82c0 100644
> --- a/drivers/accel/habanalabs/common/habanalabs_ioctl.c
> +++ b/drivers/accel/habanalabs/common/habanalabs_ioctl.c
> @@ -685,7 +685,7 @@ static int sec_attest_info(struct hl_fpriv *hpriv, struct hl_info_args *args)
> if (!sec_attest_info)
> return -ENOMEM;
>
> - info = kmalloc(sizeof(*info), GFP_KERNEL);
> + info = kzalloc(sizeof(*info), GFP_KERNEL);
> if (!info) {
> rc = -ENOMEM;
> goto free_sec_attest_info;
> --
> 2.34.1
>
Reviewed-by: Oded Gabbay <ogabbay@xxxxxxxxxx>
Applied to -next.
Thanks,
Oded
