Re: [PATCH] media: omap3isp: Use struct_group() for memcpy() region

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Dec 15, 2021 at 09:38:55AM -0800, Kees Cook wrote:
> On Mon, Dec 13, 2021 at 05:24:16PM -0600, Gustavo A. R. Silva wrote:
> > On Thu, Nov 18, 2021 at 10:43:52AM -0800, Kees Cook wrote:
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > > intentionally writing across neighboring fields. Wrap the target region
> > > in struct_group(). This additionally fixes a theoretical misalignment
> > > of the copy (since the size of "buf" changes between 64-bit and 32-bit,
> > > but this is likely never built for 64-bit).
> > > 
> > > FWIW, I think this code is totally broken on 64-bit (which appears to
> > > not be a "real" build configuration): it would either always fail (with
> > > an uninitialized data->buf_size) or would cause corruption in userspace
> > > due to the copy_to_user() in the call path against an uninitialized
> > > data->buf value:
> > > 
> > > omap3isp_stat_request_statistics_time32(...)
> > >     struct omap3isp_stat_data data64;
> > >     ...
> > >     omap3isp_stat_request_statistics(stat, &data64);
> > > 
> > > int omap3isp_stat_request_statistics(struct ispstat *stat,
> > >                                      struct omap3isp_stat_data *data)
> > >     ...
> > >     buf = isp_stat_buf_get(stat, data);
> > > 
> > > static struct ispstat_buffer *isp_stat_buf_get(struct ispstat *stat,
> > >                                                struct omap3isp_stat_data *data)
> > > ...
> > >     if (buf->buf_size > data->buf_size) {
> > >             ...
> > >             return ERR_PTR(-EINVAL);
> > >     }
> > >     ...
> > >     rval = copy_to_user(data->buf,
> > >                         buf->virt_addr,
> > >                         buf->buf_size);
> > > 
> > > Regardless, additionally initialize data64 to be zero-filled to avoid
> > > undefined behavior.
> > > 
> > > Fixes: 378e3f81cb56 ("media: omap3isp: support 64-bit version of omap3isp_stat_data")
> > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Reviewed-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>

> > > ---
> > >  drivers/media/platform/omap3isp/ispstat.c |  5 +++--
> > >  include/uapi/linux/omap3isp.h             | 21 +++++++++++++--------
> > >  2 files changed, 16 insertions(+), 10 deletions(-)
> > > 
> > > diff --git a/drivers/media/platform/omap3isp/ispstat.c b/drivers/media/platform/omap3isp/ispstat.c
> > > index 5b9b57f4d9bf..68cf68dbcace 100644
> > > --- a/drivers/media/platform/omap3isp/ispstat.c
> > > +++ b/drivers/media/platform/omap3isp/ispstat.c
> > > @@ -512,7 +512,7 @@ int omap3isp_stat_request_statistics(struct ispstat *stat,
> > >  int omap3isp_stat_request_statistics_time32(struct ispstat *stat,
> > >  					struct omap3isp_stat_data_time32 *data)
> > >  {
> > > -	struct omap3isp_stat_data data64;
> > > +	struct omap3isp_stat_data data64 = { };
> > >  	int ret;
> > >  
> > >  	ret = omap3isp_stat_request_statistics(stat, &data64);
> > > @@ -521,7 +521,8 @@ int omap3isp_stat_request_statistics_time32(struct ispstat *stat,
> > >  
> > >  	data->ts.tv_sec = data64.ts.tv_sec;
> > >  	data->ts.tv_usec = data64.ts.tv_usec;
> > > -	memcpy(&data->buf, &data64.buf, sizeof(*data) - sizeof(data->ts));
> > > +	data->buf = (uintptr_t)data64.buf;
> > 
> > Shouldn't this be
> > 
> > 	data->buf = (uintptr_t)(void *)data64.buf;
> > 
> > instead?
> 
> This is already a void *:
> 
> struct omap3isp_stat_data {
> 	...
>         void __user *buf;
> };
> 
> But I agree, the mix of structures in here is confusing! :)

Yep; you're right. :)

Thanks
--
Gustavo



[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux