From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4561C433E0 for ; Sat, 1 Aug 2020 00:21:49 +0000 (UTC) Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 6BA5D206E6 for ; Sat, 1 Aug 2020 00:21:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6BA5D206E6 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-kernel-mentees-bounces@lists.linuxfoundation.org Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 4153388705; Sat, 1 Aug 2020 00:21:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4trMq+CyCCn; Sat, 1 Aug 2020 00:21:48 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id 7EE9E886F9; Sat, 1 Aug 2020 00:21:48 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6B347C004F; Sat, 1 Aug 2020 00:21:48 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id D9DBAC004D for ; Sat, 1 Aug 2020 00:21:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 44ED12153B for ; Sat, 1 Aug 2020 00:21:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pI54Py4my2wJ for ; Sat, 1 Aug 2020 00:21:44 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from vmicros1.altlinux.org (vmicros1.altlinux.org [194.107.17.57]) by silver.osuosl.org (Postfix) with ESMTP id 723A32043E for ; Sat, 1 Aug 2020 00:21:44 +0000 (UTC) Received: from mua.local.altlinux.org (mua.local.altlinux.org [192.168.1.14]) by vmicros1.altlinux.org (Postfix) with ESMTP id 8E59372CCDC; Sat, 1 Aug 2020 03:21:42 +0300 (MSK) Received: by mua.local.altlinux.org (Postfix, from userid 508) id 61DA17CFBFC; Sat, 1 Aug 2020 03:21:42 +0300 (MSK) Date: Sat, 1 Aug 2020 03:21:42 +0300 From: "Dmitry V. Levin" To: Peilin Ye Message-ID: <20200801002142.GA27762@altlinux.org> References: <20200727213644.328662-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200727213644.328662-1-yepeilin.cs@gmail.com> Cc: Arnd Bergmann , Oleg Nesterov , linux-kernel@vger.kernel.org, Elvira Khabirova , linux-kernel-mentees@lists.linuxfoundation.org, Dan Carpenter Subject: Re: [Linux-kernel-mentees] [PATCH] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() X-BeenThere: linux-kernel-mentees@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-kernel-mentees-bounces@lists.linuxfoundation.org Sender: "Linux-kernel-mentees" On Mon, Jul 27, 2020 at 05:36:44PM -0400, Peilin Ye wrote: > ptrace_get_syscall_info() is copying uninitialized stack memory to > userspace due to the compiler not initializing holes in statically > allocated structures. Fix it by initializing `info` with memset(). > > Cc: stable@vger.kernel.org > Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") > Suggested-by: Dan Carpenter > Signed-off-by: Peilin Ye > --- > kernel/ptrace.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > index 43d6179508d6..e48d05b765b5 100644 > --- a/kernel/ptrace.c > +++ b/kernel/ptrace.c > @@ -960,15 +960,17 @@ ptrace_get_syscall_info(struct task_struct *child, unsigned long user_size, > void __user *datavp) > { > struct pt_regs *regs = task_pt_regs(child); > - struct ptrace_syscall_info info = { > - .op = PTRACE_SYSCALL_INFO_NONE, > - .arch = syscall_get_arch(child), > - .instruction_pointer = instruction_pointer(regs), > - .stack_pointer = user_stack_pointer(regs), > - }; > + struct ptrace_syscall_info info; > unsigned long actual_size = offsetof(struct ptrace_syscall_info, entry); > unsigned long write_size; > > + memset(&info, 0, sizeof(info)); > + > + info.op = PTRACE_SYSCALL_INFO_NONE; > + info.arch = syscall_get_arch(child); > + info.instruction_pointer = instruction_pointer(regs); > + info.stack_pointer = user_stack_pointer(regs); > + No, please don't do it this way. If there is a hole in the structure that the compiler is unable to initialize properly (and there is a 3-byte hole in the beginning indeed), please plug the hole by turning it into something that the compiler is capable of initializing. Also, please do not forget to Cc authors of the commit you are fixing. -- ldv _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74C53C433DF for ; Sat, 1 Aug 2020 00:21:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 458752083B for ; Sat, 1 Aug 2020 00:21:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727990AbgHAAVq (ORCPT ); Fri, 31 Jul 2020 20:21:46 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:52730 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726099AbgHAAVp (ORCPT ); Fri, 31 Jul 2020 20:21:45 -0400 Received: from mua.local.altlinux.org (mua.local.altlinux.org [192.168.1.14]) by vmicros1.altlinux.org (Postfix) with ESMTP id 8E59372CCDC; Sat, 1 Aug 2020 03:21:42 +0300 (MSK) Received: by mua.local.altlinux.org (Postfix, from userid 508) id 61DA17CFBFC; Sat, 1 Aug 2020 03:21:42 +0300 (MSK) Date: Sat, 1 Aug 2020 03:21:42 +0300 From: "Dmitry V. Levin" To: Peilin Ye Cc: Elvira Khabirova , Oleg Nesterov , Dan Carpenter , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() Message-ID: <20200801002142.GA27762@altlinux.org> References: <20200727213644.328662-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200727213644.328662-1-yepeilin.cs@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2020 at 05:36:44PM -0400, Peilin Ye wrote: > ptrace_get_syscall_info() is copying uninitialized stack memory to > userspace due to the compiler not initializing holes in statically > allocated structures. Fix it by initializing `info` with memset(). > > Cc: stable@vger.kernel.org > Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") > Suggested-by: Dan Carpenter > Signed-off-by: Peilin Ye > --- > kernel/ptrace.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > index 43d6179508d6..e48d05b765b5 100644 > --- a/kernel/ptrace.c > +++ b/kernel/ptrace.c > @@ -960,15 +960,17 @@ ptrace_get_syscall_info(struct task_struct *child, unsigned long user_size, > void __user *datavp) > { > struct pt_regs *regs = task_pt_regs(child); > - struct ptrace_syscall_info info = { > - .op = PTRACE_SYSCALL_INFO_NONE, > - .arch = syscall_get_arch(child), > - .instruction_pointer = instruction_pointer(regs), > - .stack_pointer = user_stack_pointer(regs), > - }; > + struct ptrace_syscall_info info; > unsigned long actual_size = offsetof(struct ptrace_syscall_info, entry); > unsigned long write_size; > > + memset(&info, 0, sizeof(info)); > + > + info.op = PTRACE_SYSCALL_INFO_NONE; > + info.arch = syscall_get_arch(child); > + info.instruction_pointer = instruction_pointer(regs); > + info.stack_pointer = user_stack_pointer(regs); > + No, please don't do it this way. If there is a hole in the structure that the compiler is unable to initialize properly (and there is a 3-byte hole in the beginning indeed), please plug the hole by turning it into something that the compiler is capable of initializing. Also, please do not forget to Cc authors of the commit you are fixing. -- ldv