From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 335673B42CF for ; Wed, 17 Jun 2026 06:24:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781677492; cv=none; b=lzA6fpZYaixub92TFhARwz51g2CfrFEMuIzpkE3P0U4wdOo6NwJXgk3RL4AqJfm97i5DdIazY6m0R1jQP4+UQLhoc31r05G50Rq1BtCU7Yb1Dx5r0G+ZEpqDybG4i58HxvOGxIAlGxMDg1cx3tuhPeyIuFxXRCBc4BOdDCiEVDo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781677492; c=relaxed/simple; bh=PtxseKaSk7tg3FqmR7IGQgXRZpCNgHQQdGpxlxERFMg=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=eYmrnNt28TkdncvbmkfK0JDhz262BxR7pBstuDmOC9AAXl0StQNBI0TkXzP8o/XSW8RwMhAgbLvh86IZiq7B457Qge6W235Ud0OBSmReC4f/hi97UBpMWC3N/vQ5G4UovBZ4RfvphxVfo5sRvhJUniPnSDHnbT4IfYklaBSTQSo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=HWjCVcik; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="HWjCVcik" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E4D9A1F000E9; Wed, 17 Jun 2026 06:24:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1781677489; bh=ZbiAl6cAwQ/MIX03T60qFrsPF1kk2r70Bmoo7yfgync=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=HWjCVcik3IrZo1k9iWr7XPH5NB6V05qGX6TdOBXcO+CF+76Ai79MbEY1S4ysZLQir JXCB4/li8KQp293/RTngIiph+hiAD1QRmF2U1by1zz8SRmAQutYcRWZIuKTEhVEHXD B1PVaDzhT3CBd5EzXOx50BAY8Ok3f+N2WnMfIAw59tLGktorFQDBOaY6s/WDnSxgaK yTE4gGKWSys46XGUKvy2auhC66oAAW2diwmrNKwmLjJVHIFstOiG3GX1h5dMdD8KzD WaRqdAQzFXof0C8YQfi3cPU7KmlXUPdLxRNq5cy+jrhywfrMP3gnAk8yWwgrnGWRRx 0m9ON/B1GtgHA== Message-ID: Date: Wed, 17 Jun 2026 16:24:45 +1000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] riscv: hwprobe: Avoid uninitialized read in hwprobe_get_cpus() To: Mark Harris Cc: Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org References: <20260612045502.70850-1-mark.hsj@gmail.com> <77749c92-ac8a-4074-bb59-59dbbd3d84f2@kernel.org> Content-Language: en-US From: Michael Ellerman In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 16/6/26 1:53 pm, Mark Harris wrote: > Michael Ellerman wrote: >> >> On 12/6/26 2:55 pm, Mark Harris wrote: >>> When cpusetsize < cpumask_size(), hwprobe_get_cpus() did not fully >>> initialize its copy of the cpu mask, which could cause non-deterministic >>> results from the riscv_hwprobe syscall on a system with more than 8 CPUs >>> when the supplied cpu mask is empty. Address this by fully initializing >>> the cpu mask. >>> >>> Signed-off-by: Mark Harris >>> --- >>> arch/riscv/kernel/sys_hwprobe.c | 1 + >>> 1 file changed, 1 insertion(+) >> >> This should have a fixes tag, I think it's: >> >> Fixes: e178bf146e4b ("RISC-V: hwprobe: Introduce which-cpus flag") > > Yes, that looks correct. > >> >>> diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c >>> index 1659d31fd288..caf6762427c8 100644 >>> --- a/arch/riscv/kernel/sys_hwprobe.c >>> +++ b/arch/riscv/kernel/sys_hwprobe.c >>> @@ -450,6 +450,7 @@ static int hwprobe_get_cpus(struct riscv_hwprobe __user *pairs, >>> if (cpusetsize > cpumask_size()) >>> cpusetsize = cpumask_size(); >>> >>> + cpumask_clear(&cpus); >>> ret = copy_from_user(&cpus, cpus_user, cpusetsize); >>> if (ret) >>> return -EFAULT; >> >> cpus is on the stack, and is copied back out at the end of the function, >> so this looks like it could be a stack info leak. >> >> But the copy back is also bounded by cpusetsize, so in fact there is not >> any leak of uninitialised stack out to userspace: >> >> ret = copy_to_user(cpus_user, &cpus, cpusetsize); >> if (ret) >> return -EFAULT; > > It can leak 1 bit of information from the kernel stack. For example > with 16 CPUs, all online, if a 1-byte 0x00 mask is supplied, the > caller can determine whether the second (uninitialized) mask byte is > zero or non-zero due to the cpumask_empty(&cpus) check. Oh yep, because the caller can observe if cpus was/wasn't overwritten with the cpus_online_mask. I guess that counts as an info leak, it doesn't let an attacker reconstruct actual values from the stack, but a zero/non-zero check could be useful in theory. cheers