[PATCH] habanalabs: fix information leak in sec_attest_info()
Xingyuan Mo
hdthky0 at gmail.com
Wed Nov 22 10:49:40 UTC 2023
This function may copy the pad0 field of struct hl_info_sec_attest to
user mode which has not been initialized, resulting in leakage of kernel
heap data to user mode. To prevent this, just zero out the pad0 field
before copying it to user mode.
Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi")
Signed-off-by: Xingyuan Mo <hdthky0 at gmail.com>
---
drivers/accel/habanalabs/common/habanalabs_ioctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/accel/habanalabs/common/habanalabs_ioctl.c b/drivers/accel/habanalabs/common/habanalabs_ioctl.c
index 8ef36effb95b..9e3feb7ad5e5 100644
--- a/drivers/accel/habanalabs/common/habanalabs_ioctl.c
+++ b/drivers/accel/habanalabs/common/habanalabs_ioctl.c
@@ -707,6 +707,7 @@ static int sec_attest_info(struct hl_fpriv *hpriv, struct hl_info_args *args)
memcpy(&info->public_data, &sec_attest_info->public_data, sizeof(info->public_data));
memcpy(&info->certificate, &sec_attest_info->certificate, sizeof(info->certificate));
memcpy(&info->quote_sig, &sec_attest_info->quote_sig, sizeof(info->quote_sig));
+ memset(&info->pad0, 0, sizeof(info->pad0));
rc = copy_to_user(out, info,
min_t(size_t, max_size, sizeof(*info))) ? -EFAULT : 0;
--
2.43.0
More information about the dri-devel
mailing list