On Wed, Dec 30, 2020 at 10:50:43PM +0000, bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=210973 > > Bug ID: 210973 > Summary: info leaks in all kernel versions including android > Product: Drivers > Version: 2.5 > Kernel Version: latest > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: high > Priority: P1 > Component: Infiniband/RDMA > Assignee: drivers_infiniband-rdma@xxxxxxxxxxxxxxxxxxxx > Reporter: fxast243@xxxxxxxxx > Regression: No > > While I audit android kernel source code , I noticed that there is an > Uninitialized data which could lead to info leak in ib_uverbs_create_ah > function. I download the source code from here > https://android.googlesource.com/kernel/common. Also it exists in the > linux-masters > > https://github.com/torvalds/linux/blob/master/drivers/infiniband/core/uverbs_cmd.c#L2408 > > > # BUG > resp.ah_handle = uobj->id; > return uverbs_response(attrs, &resp, sizeof(resp)); Thanks for the report. There is no info leak here because according to the C99 standard if flexible array doesn't have members, it will be treated as non-existent for the struct size calculations. In our case sizeof(u32) == sizeof(struct ib_uverbs_create_ah_resp) and not sizeof(u32) + sizeof(u32) as you wrote. See 6.7.2.1 Structureand union specifiers, item 16 for more info. Thanks
