RE: x86/mce: Potential Information Leak in __mce_read_apei Due to Uninitialized Bytes

From: Luck, Tony
Date: Thu Jan 30 2025 - 12:14:26 EST

Next message: Boqun Feng: "Re: [PATCH] rust: sync: add accessor for the lock behind a given guard"
Previous message: Sultan Alsawaf: "[PATCH v2] driver core: optimize async device shutdown"
In reply to: Haoyu Li: "x86/mce: Potential Information Leak in __mce_read_apei Due to Uninitialized Bytes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I would like to bring to your attention a potential issue in the
> "__mce_read_apei" function. Specifically, the struct mce m is
> initialized via the "apei_read_mce" function before being copied to
> user space. However, upon inspecting the call trace (apei_read_mce ->
> erst_read_record -> erst_read), we found that not all fields of struct
> mce are properly initialized.

Thanks for the report.

I'm not seeing it.(in upstream v6.13 kernel).

__mce_read_apei() does declare "struct mce m" as local, so there is a concern about leakage.

Now apei_read_mce() does:

memcpy(m, &rcd.mce, sizeof(*m));

so all bytes are overwritte. Digging down "rcd.mce" is also a stack local, so need to
look into erst_read_record() for how it is filled.

That happens with

erst_read(record_id, record, buflen):

which will overwrite the whole of the "struct cper_mce_record rcd"
declared by apei_read_mce().

All of the error paths look to avoid the copy_to_user() in __mce_read_apei()

Did I miss something that you saw? Are you looking at an older version?

-Tony

Next message: Boqun Feng: "Re: [PATCH] rust: sync: add accessor for the lock behind a given guard"
Previous message: Sultan Alsawaf: "[PATCH v2] driver core: optimize async device shutdown"
In reply to: Haoyu Li: "x86/mce: Potential Information Leak in __mce_read_apei Due to Uninitialized Bytes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]