Re: [Linux-kernel-mentees] [PATCH net] rds: Prevent kernel-infoleak in rds_notify_queue_get()

From: Dan Carpenter
Date: Sat Aug 01 2020 - 04:01:11 EST


On Fri, Jul 31, 2020 at 03:27:12PM -0300, Jason Gunthorpe wrote:
> On Fri, Jul 31, 2020 at 07:19:24PM +0200, Greg Kroah-Hartman wrote:
>
> > > I tried for a bit and didn't find a way to get even old gcc 4.4 to not
> > > initialize the holes.
> >
> > Odd, so it is just the "= {0};" that does not zero out the holes?
>
> Nope, it seems to work fine too. I tried a number of situations and I
> could not get the compiler to not zero holes, even back to gcc 4.4
>
> It is not just accidental either, take this:
>
> struct rds_rdma_notify {
> unsigned long user_token;
> unsigned char status;
> unsigned long user_token1 __attribute__((aligned(32)));
> } foo = {0};
>
> Which has quite a big hole, clang generates:
>
> movq $0, 56(%rdi)
> movq $0, 48(%rdi)
> movq $0, 40(%rdi)
> movq $0, 32(%rdi)
> movq $0, 24(%rdi)
> movq $0, 16(%rdi)
> movq $0, 8(%rdi)
> movq $0, (%rdi)
>
> Deliberate extra instructions to fill both holes. gcc 10 does the
> same, older gcc's do create a rep stosq over the whole thing.
>
> Some fiddling with godbolt shows quite a variety of output, but I
> didn't see anything that looks like a compiler not filling
> padding. Even godbolt's gcc 4.1 filled the padding, which is super old.
>
> In several cases it seems the aggregate initializer produced better
> code than memset, in other cases it didn't
>
> Without an actual example where this doesn't work right it is hard to
> say anything more..

Here is the example that set off the recent patches:

https://lkml.org/lkml/2020/7/27/199

Another example is commit 5ff223e86f5a ("net: Zeroing the structure
ethtool_wolinfo in ethtool_get_wol()"). I tested this one with GCC 7.4
at the time and it was a real life bug.

The rest of these patches were based on static analysis from Smatch.
They're all "theoretical" bugs based on the C standard but it's
impossible to know if and when they'll turn into real life bugs.

It's not a super long list of code that's affected because we've known
that the bug was possible for a few years. It was only last year when
I saw that it had become a real life bug.

regards,
dan carpenter