On Sat, Mar 21, 2020 at 08:56:20PM -0700, Eric Biggers wrote:
> On Wed, Mar 18, 2020 at 09:39:40AM -0700, Eric Biggers wrote:
> > On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote:
> > > On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> > > >
> > > > Reading from a debugfs file at a nonzero position, without first reading
> > > > at position 0, leaks uninitialized memory to userspace.
> > > >
> > > > It's a bit tricky to do this, since lseek() and pread() aren't allowed
> > > > on these files, and write() doesn't update the position on them. But
> > > > writing to them with splice() *does* update the position:
> > > >
> > > > #define _GNU_SOURCE 1
> > > > #include <fcntl.h>
> > > > #include <stdio.h>
> > > > #include <unistd.h>
> > > > int main()
> > > > {
> > > > int pipes[2], fd, n, i;
> > > > char buf[32];
> > > >
> > > > pipe(pipes);
> > > > write(pipes[1], "0", 1);
> > > > fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> > > > splice(pipes[0], NULL, fd, NULL, 1, 0);
> > > > n = read(fd, buf, sizeof(buf));
> > > > for (i = 0; i < n; i++)
> > > > printf("%02x", buf[i]);
> > > > printf("\n");
> > > > }
> > > >
> > > > Output:
> > > > 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> > > >
> > > > Fix the infoleak by making simple_attr_read() always fill
> > > > simple_attr::get_buf if it hasn't been filled yet.
> > > >
> > > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@xxxxxxxxxxxxxxxxxxxxxxxxx
> > > > Reported-by: Alexander Potapenko <glider@xxxxxxxxxx>
> > > > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> > > > Cc: stable@xxxxxxxxxxxxxxx
> > > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> > > > ---
> > > > fs/libfs.c | 8 +++++---
> > > > 1 file changed, 5 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/fs/libfs.c b/fs/libfs.c
> > > > index c686bd9caac6..3759fbacf522 100644
> > > > --- a/fs/libfs.c
> > > > +++ b/fs/libfs.c
> > > > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
> > > > {
> > > > struct simple_attr *attr;
> > > >
> > > > - attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> > > > + attr = kzalloc(sizeof(*attr), GFP_KERNEL);
> > > > if (!attr)
> > > > return -ENOMEM;
> > > >
> > > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
> > > > if (ret)
> > > > return ret;
> > > >
> > > > - if (*ppos) { /* continued read */
> > > > + if (*ppos && attr->get_buf[0]) {
> > > > + /* continued read */
> > > > size = strlen(attr->get_buf);
> > > > - } else { /* first read */
> > > > + } else {
> > > > + /* first read */
> > > > u64 val;
> > > > ret = attr->get(attr->data, &val);
> > > > if (ret)
> > > > --
> > > > 2.25.1
> > >
> > > Any comments on this? Al, seems this is something you should pick up?
> > >
> > > - Eric
> >
> > Ping.
> >
>
> Andrew, can you consider taking this patch? Al has been ignoring it, and this
> seems like a fairly important fix. This bug affects many (most?) debugfs files,
> and it affects years old kernels too not just recent ones.
As it affects debugfs files, I'll grab it now, thanks.
greg k-h
