From patchwork Wed Jan 2 17:20:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 1020042 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="qHALNpNV"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43VHr14KzXz9s9G for ; Thu, 3 Jan 2019 04:20:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730168AbfABRUc (ORCPT ); Wed, 2 Jan 2019 12:20:32 -0500 Received: from mail-pf1-f195.google.com ([209.85.210.195]:35163 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729749AbfABRUb (ORCPT ); Wed, 2 Jan 2019 12:20:31 -0500 Received: by mail-pf1-f195.google.com with SMTP id z9so15450543pfi.2 for ; Wed, 02 Jan 2019 09:20:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=E5Z1MIXaNAGHdhOjddDO3drcMQeMBUxMlitsziAe1Qs=; b=qHALNpNVQ+uAtvRzn7+XniedGa/JShF94h5wiJlzDXfayUlIVD5ipcVdoLgQV3ZDjf ooRyGe3tDf79PUjsi5h9hujXMy4vPB+2ybwv4y1XGYC/MBVuYvzoPWebYvFOeN6KV5kC SiDHzmdtnhYwP1KwZEVAqJCMSlVVyrrnbLio1SyyseOiNPf9ROrn2l2OVpG/RQTbIcjK sv2QPqrJHvtU8dXl28beLTqnrERcYODOXLXVYsGKc07uEZAawNawiqSz6iT62MkiCeQq sWHrk7hjGFDCViXOir1s9DGE4vBpx+WP4Y2sLC83SMwyuhJ2yY9cBVLjXEaubiHKjeKX PphQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=E5Z1MIXaNAGHdhOjddDO3drcMQeMBUxMlitsziAe1Qs=; b=RfnJXFoJQMr+LGnDMRyMTrtZ+2K6jnp2Yjxzjd0kD7aeJjtCPUjrmtlv7ntrZElmK8 Qj5BMZ0R28IUE6BYHeDePdxWTvAfA4NWdqo6p5BSR0mv8pF00WXuaQy06IaIZ188cD7S JgMvMxQxIwjiLm0gZtTUwBMH9oeHeNSkcHyqj8mQ3uzKGDynNzor0lbn2sKRLsqJdgmA wp/XK6N/lOwXBsL1cIzJ6NaF+Ftcmq6YeR0c6qFJML3P8W3OiyuW5Ifqqy1oxfELc6D6 PY/C/s12wg6j44tH3ErGGWziIIt2I9pARWYabu4ORrEAFwu4rz+BVBwMdVIW6CYtbEo4 AEUw== X-Gm-Message-State: AJcUuke8HnVGAWSIQCR4cW/TLH0R+V693o1OV3sZIgxh4DvbnVLsRw9+ ExES2L8jIbDoxST69GQej4FieQ== X-Google-Smtp-Source: ALg8bN6pUBtJpz0HViq8k77yYDgv8px4Pqw08UHiYe+SeNlfKMqaWn17hOv1MZiFPW4NX+QoLM+DUg== X-Received: by 2002:a63:77ce:: with SMTP id s197mr14072006pgc.89.1546449630253; Wed, 02 Jan 2019 09:20:30 -0800 (PST) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id h64sm82317813pfc.142.2019.01.02.09.20.29 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 02 Jan 2019 09:20:29 -0800 (PST) From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet , syzbot , Karsten Keil Subject: [PATCH net] isdn: fix kernel-infoleak in capi_unlocked_ioctl Date: Wed, 2 Jan 2019 09:20:27 -0800 Message-Id: <20190102172027.121505-1-edumazet@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Since capi_ioctl() copies 64 bytes after calling capi20_get_manufacturer() we need to ensure to not leak information to user. BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 CPU: 0 PID: 11245 Comm: syz-executor633 Not tainted 4.20.0-rc7+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x173/0x1d0 lib/dump_stack.c:113 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 kmsan_internal_check_memory+0x9d4/0xb00 mm/kmsan/kmsan.c:704 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 capi_ioctl include/linux/uaccess.h:177 [inline] capi_unlocked_ioctl+0x1a0b/0x1bf0 drivers/isdn/capi/capi.c:939 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 ksys_ioctl fs/ioctl.c:713 [inline] __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl+0x1da/0x270 fs/ioctl.c:718 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:718 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440019 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdd4659fb8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440019 RDX: 0000000020000080 RSI: 00000000c0044306 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004018a0 R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000 Local variable description: ----data.i@capi_unlocked_ioctl Variable was created at: capi_ioctl drivers/isdn/capi/capi.c:747 [inline] capi_unlocked_ioctl+0x82/0x1bf0 drivers/isdn/capi/capi.c:939 do_vfs_ioctl+0xebd/0x2bf0 fs/ioctl.c:46 Bytes 12-63 of 64 are uninitialized Memory access of size 64 starts at ffff88807ac5fce8 Data copied to user address 0000000020000080 Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Karsten Keil --- drivers/isdn/capi/kcapi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c index 0ff517d3c98f98e91aaabafc8051440a0486ce74..a4ceb61c5b6035fef835759d0761c733dea3fde8 100644 --- a/drivers/isdn/capi/kcapi.c +++ b/drivers/isdn/capi/kcapi.c @@ -852,7 +852,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf) u16 ret; if (contr == 0) { - strlcpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN); + strncpy(buf, capi_manufakturer, CAPI_MANUFACTURER_LEN); return CAPI_NOERROR; } @@ -860,7 +860,7 @@ u16 capi20_get_manufacturer(u32 contr, u8 *buf) ctr = get_capi_ctr_by_nr(contr); if (ctr && ctr->state == CAPI_CTR_RUNNING) { - strlcpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN); + strncpy(buf, ctr->manu, CAPI_MANUFACTURER_LEN); ret = CAPI_NOERROR; } else ret = CAPI_REGNOTINSTALLED;