Hi!
From: Greg Kroah-Hartman gregkh@linuxfoundation.org
commit 8096f229421f7b22433775e928d506f0342e5907 upstream.
For the bpf syscall, we are relying on the compiler to properly zero out the bpf_attr union that we copy userspace data into. Unfortunately that doesn't always work properly, padding and other oddities might not be correctly zeroed, and in some tests odd things have been found when the stack is pre-initialized to other values.
Fix this by explicitly memsetting the structure to 0 before using it.
Is not that a gcc bug? I mean, that's seriously unhelpful behaviour from security perspective.
Is there any reason to believe this is not causing problems elsewhere?
$ grep -ri "= {}" . | wc -l 2152
I'm pretty sure many of these are before return to userspace... I picked one at random:
./drivers/media/cec/cec-api.c-static long cec_adap_g_caps(struct cec_adapter *adap, ./drivers/media/cec/cec-api.c- struct cec_caps __user *parg) ./drivers/media/cec/cec-api.c-{ ./drivers/media/cec/cec-api.c: struct cec_caps caps = {}; ./drivers/media/cec/cec-api.c- ./drivers/media/cec/cec-api.c- strscpy(caps.driver, adap->devnode.dev.parent->driver->name, ./drivers/media/cec/cec-api.c- sizeof(caps.driver)); ./drivers/media/cec/cec-api.c- strscpy(caps.name, adap->name, sizeof(caps.name)); ./drivers/media/cec/cec-api.c- caps.available_log_addrs = adap->available_log_addrs; ./drivers/media/cec/cec-api.c- caps.capabilities = adap->capabilities; ./drivers/media/cec/cec-api.c- caps.version = LINUX_VERSION_CODE; ./drivers/media/cec/cec-api.c- if (copy_to_user(parg, &caps, sizeof(caps))) ./drivers/media/cec/cec-api.c- return -EFAULT; ./drivers/media/cec/cec-api.c- return 0; ./drivers/media/cec/cec-api.c-}
Should we fix gcc, instead?
Best regards, Pavel