From patchwork Tue Feb 6 21:30:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1895915 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TTxJH4620z23gM for ; Wed, 7 Feb 2024 08:31:11 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rXT1k-0006gD-J2; Tue, 06 Feb 2024 21:30:52 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rXT1G-0006Zl-Q9 for kernel-team@lists.ubuntu.com; Tue, 06 Feb 2024 21:30:19 +0000 Received: from mail-oi1-f198.google.com (mail-oi1-f198.google.com [209.85.167.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7922540C82 for ; Tue, 6 Feb 2024 21:30:17 +0000 (UTC) Received: by mail-oi1-f198.google.com with SMTP id 5614622812f47-3bfe00b4de7so2225545b6e.0 for ; Tue, 06 Feb 2024 13:30:17 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707255015; x=1707859815; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2BesrQaZn1gNaQPwXgnnIxLnmeM/htp6mSwqwjJ+V5E=; b=hcbvGc06X526jZOYshfYkgm/EdiBD1WwBTdqpN6xp9FwYU1QVScFT8ynKoE4F4JkHK Cw6tVex/Cucg/Z13Mj/EmKJwEsFrLzcl5+uliUrfsIhA6Ap4r+UOnIxEiROdLBZX5Xxh 3yQ6RBRNvWVl5ZwHa0dZEOC/RPE74o6W3GS/MzRNi//3LXmoms8UTb7Yr0Fi3aJbjDzS /9is3/TXxcmc3pRvXQpjP10UVejOrlYH+IGIwx43uWNiEqhhZh310dJswWwAL43q7ZmG 8BZmxksmwdrOrRiO15M3iBlpO2sVEuXIhEvTg3vp6/eTMEX3LKQJ1dZ5Ybi/Ib6qFgSF d5bQ== X-Gm-Message-State: AOJu0Yws+GHkqfp9hxOKeyQ++Ttn+cliFB/yTrWtb0WQFEbI8kU05mpc dpR/+htZn7QE9YsNNFPNMnahhlLBXcLMbntlhZek11shk7Kca/yL1flKmnFMd+iiyZotCqbo2qN 1z7e5eNul4LI5N+CkCzrVtHxSoAkUfBda6Sc0BD0Msc00RYLAsUoDmUlI60ljDtO3sJcM9vQK/R 2vfLi71ZhxnQ== X-Received: by 2002:a05:6808:f09:b0:3bf:dff4:7055 with SMTP id m9-20020a0568080f0900b003bfdff47055mr5155226oiw.50.1707255015322; Tue, 06 Feb 2024 13:30:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IGED6njZ+Aiacg+vkx9B25Loayt/JDlghPd+MANIFG2BTmFeVBsmAFn7DdCZQvxduUOsPIFDg== X-Received: by 2002:a05:6808:f09:b0:3bf:dff4:7055 with SMTP id m9-20020a0568080f0900b003bfdff47055mr5155201oiw.50.1707255014770; Tue, 06 Feb 2024 13:30:14 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id e19-20020a05620a209300b00783268da8f0sm1284549qka.40.2024.02.06.13.30.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Feb 2024 13:30:14 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][PATCH 1/1] accel/habanalabs: fix information leak in sec_attest_info() Date: Tue, 6 Feb 2024 15:30:12 -0600 Message-Id: <20240206213012.55794-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240206213012.55794-1-bethany.jamison@canonical.com> References: <20240206213012.55794-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Xingyuan Mo This function may copy the pad0 field of struct hl_info_sec_attest to user mode which has not been initialized, resulting in leakage of kernel heap data to user mode. To prevent this, use kzalloc() to allocate and zero out the buffer, which can also eliminate other uninitialized holes, if any. Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi") Signed-off-by: Xingyuan Mo Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay (cherry picked from commit a9f07790a4b2250f0140e9a61c7f842fd9b618c7) CVE-2023-50431 Signed-off-by: Bethany Jamison --- drivers/accel/habanalabs/common/habanalabs_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/accel/habanalabs/common/habanalabs_ioctl.c b/drivers/accel/habanalabs/common/habanalabs_ioctl.c index 6a45a92344e9b..a7f6c54c123ef 100644 --- a/drivers/accel/habanalabs/common/habanalabs_ioctl.c +++ b/drivers/accel/habanalabs/common/habanalabs_ioctl.c @@ -682,7 +682,7 @@ static int sec_attest_info(struct hl_fpriv *hpriv, struct hl_info_args *args) if (!sec_attest_info) return -ENOMEM; - info = kmalloc(sizeof(*info), GFP_KERNEL); + info = kzalloc(sizeof(*info), GFP_KERNEL); if (!info) { rc = -ENOMEM; goto free_sec_attest_info;