https://bugzilla.kernel.org/show_bug.cgi?id=214711 Bug ID: 214711 Summary: Memory leakage from kernel to user space Product: SCSI Drivers Version: 2.5 Kernel Version: 5.15-rc5 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Other Assignee: scsi_drivers-other@xxxxxxxxxxxxxxxxxxxx Reporter: bao00065@xxxxxxx Regression: No Hi Maintainer, I just found an uninitialized value use bug that causes memory leakage from kernel to user space. Here are the details: Vulnerable function is in /drivers/scsi/scsi_ioctl.c static int scsi_put_cdrom_generic_arg(const struct cdrom_generic_command *cgc, void __user *arg) { #ifdef CONFIG_COMPAT if (in_compat_syscall()) { struct compat_cdrom_generic_command cgc32 = { .buffer = (uintptr_t)(cgc->buffer), .buflen = cgc->buflen, .stat = cgc->stat, .sense = (uintptr_t)(cgc->sense), .data_direction = cgc->data_direction, .quiet = cgc->quiet, .timeout = cgc->timeout, .unused = (uintptr_t)(cgc->unused), }; memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE); if (copy_to_user(arg, &cgc32, sizeof(cgc32))) return -EFAULT; return 0; } #endif if (copy_to_user(arg, cgc, sizeof(*cgc))) return -EFAULT; return 0; } The issue is, struct cgc32 is partially initialized since pad[3] are not initialized. Then this struct is passed to copy_to_user, and 3 bytes are leaked from kernel space to userspace. The struct is declared here: struct compat_cdrom_generic_command { unsigned char cmd[CDROM_PACKET_SIZE]; compat_caddr_t buffer; compat_uint_t buflen; compat_int_t stat; compat_caddr_t sense; unsigned char data_direction; unsigned char pad[3]; compat_int_t quiet; compat_int_t timeout; compat_caddr_t unused; }; #endif -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
