> Structure ib_uverbs_qp_attr is copied to userland with allmost all > fields uninitialized (140 bytes on x86). It leads to leaking of > contents of kernel stack memory. I don't think most of the fields are uninitialized... we have: memset(&qp_attr, 0, sizeof qp_attr); and then later on, ib_copy_qp_attr_to_user(&resp, &qp_attr); which actually does initialize almost all of the fields in resp. The things that are missing are clearing out the reserved fields in the structures, and also resp.qp_state never gets set. I would suggest adding code to clear the reserved fields of structures to ib_copy_qp_attr_to_user() and ib_copy_ah_attr_to_user(), since this will fix what looks to be the same problem in ucma_init_qp_attr() (in drivers/infiniband/core/ucma.c). Sean, what is intended for qp_state handling here? It seems ib_copy_qp_attr_to_user() should either clear it or set it to something sensible. - R. -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
