Headline
CVE-2023-50431: [PATCH] habanalabs: fix information leak in sec_attest_info()
sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.
Xingyuan Mo hdthky0 at gmail.com
Wed Nov 22 10:49:40 UTC 2023
- Previous message (by thread): [PATCH] drm/i915/psr: Fix unsigned expression compared with zero
- Next message (by thread): [PATCH] drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This function may copy the pad0 field of struct hl_info_sec_attest to user mode which has not been initialized, resulting in leakage of kernel heap data to user mode. To prevent this, just zero out the pad0 field before copying it to user mode.
Fixes: 0c88760f8f5e (“habanalabs/gaudi2: add secured attestation info uapi”) Signed-off-by: Xingyuan Mo <hdthky0 at gmail.com>
drivers/accel/habanalabs/common/habanalabs_ioctl.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/accel/habanalabs/common/habanalabs_ioctl.c b/drivers/accel/habanalabs/common/habanalabs_ioctl.c index 8ef36effb95b…9e3feb7ad5e5 100644 — a/drivers/accel/habanalabs/common/habanalabs_ioctl.c +++ b/drivers/accel/habanalabs/common/habanalabs_ioctl.c @@ -707,6 +707,7 @@ static int sec_attest_info(struct hl_fpriv *hpriv, struct hl_info_args *args) memcpy(&info->public_data, &sec_attest_info->public_data, sizeof(info->public_data)); memcpy(&info->certificate, &sec_attest_info->certificate, sizeof(info->certificate)); memcpy(&info->quote_sig, &sec_attest_info->quote_sig, sizeof(info->quote_sig));
memset(&info->pad0, 0, sizeof(info->pad0));
rc = copy_to_user(out, info, min_t(size_t, max_size, sizeof(*info))) ? -EFAULT : 0; – 2.43.0
- Previous message (by thread): [PATCH] drm/i915/psr: Fix unsigned expression compared with zero
- Next message (by thread): [PATCH] drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the dri-devel mailing list
Related news
Ubuntu Security Notice 6724-2 - Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service. It was discovered that the Habana's AI Processors driver in the Linux kernel did not properly initialize certain data structures before passing them to user space. A local attacker could use this to expose sensitive information.
Ubuntu Security Notice 6724-1 - Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service. It was discovered that the Habana's AI Processors driver in the Linux kernel did not properly initialize certain data structures before passing them to user space. A local attacker could use this to expose sensitive information.
Ubuntu Security Notice 6688-1 - Pratyush Yadav discovered that the Xen network backend implementation in the Linux kernel did not properly handle zero length data request, leading to a null pointer dereference vulnerability. An attacker in a guest VM could possibly use this to cause a denial of service. It was discovered that the Habana's AI Processors driver in the Linux kernel did not properly initialize certain data structures before passing them to user space. A local attacker could use this to expose sensitive information.