[Bug 210973] New: info leaks in all kernel versions including android

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://bugzilla.kernel.org/show_bug.cgi?id=210973

            Bug ID: 210973
           Summary: info leaks in all kernel versions including android
           Product: Drivers
           Version: 2.5
    Kernel Version: latest
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: Infiniband/RDMA
          Assignee: drivers_infiniband-rdma@xxxxxxxxxxxxxxxxxxxx
          Reporter: fxast243@xxxxxxxxx
        Regression: No

While I audit android kernel source code , I noticed that there is an
Uninitialized data which could lead to info leak in ib_uverbs_create_ah
function. I download the source code from here 
https://android.googlesource.com/kernel/common. Also it exists in the
linux-masters

https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408


# BUG
resp.ah_handle = uobj->id;
return uverbs_response(attrs, &resp, sizeof(resp));


# 1
static int ib_uverbs_create_ah(struct uverbs_attr_bundle *attrs)
{
        struct ib_uverbs_create_ah       cmd;
        struct ib_uverbs_create_ah_resp  resp; <== point to ah_handle and
driver_data
        struct ib_uobject               *uobj;
        struct ib_pd                    *pd;
        struct ib_ah                    *ah;
        struct rdma_ah_attr             attr = {};
        int ret;
        struct ib_device *ib_dev;

        ret = uverbs_request(attrs, &cmd, sizeof(cmd));
        if (ret)
                ret

..etc



        ah->uobject  = uobj;
        uobj->user_handle = cmd.user_handle;
        uobj->object = ah;
        uobj_put_obj_read(pd);
        uobj_finalize_uobj_create(uobj, attrs);

        resp.ah_handle = uobj->id; <==
      //  __u32 driver_data[0];  <== ??? Uninitialized data.
        return uverbs_response(attrs, &resp, sizeof(resp)); <== memoey leaks



//include/uapi/rdma/ib_user_verbs.h


struct ib_uverbs_create_ah_resp {
        __u32 ah_handle;
        __u32 driver_data[0];
};



static int uverbs_response(struct uverbs_attr_bundle *attrs, const void *resp,
                           size_t resp_len)
{
        int ret;

        if (uverbs_attr_is_valid(attrs, UVERBS_ATTR_CORE_OUT))
                return uverbs_copy_to_struct_or_zero(
                        attrs, UVERBS_ATTR_CORE_OUT, resp, resp_len);

        if (copy_to_user(attrs->ucore.outbuf, resp,
                         min(attrs->ucore.outlen, resp_len))) <== copy data to
userspace
                return -EFAULT;

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.
[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux