From: Helge Deller <deller@gmx.de>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org
Cc: linux-parisc@vger.kernel.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
John David Anglin <dave.anglin@bell.net>
Subject: [PATCH] Fix prctl(PR_GET_NAME) to not leak random trailing bytes
Date: Fri, 27 Aug 2021 11:28:14 +0200 [thread overview]
Message-ID: <YSiwLuE17BwRlI/d@ls3530> (raw)
The prctl(PR_GET_NAME) and prctl(PR_SET_NAME) syscalls are used to set and
retrieve the process name. Those kernel functions are currently implemented to
always copy the full array of 16-bytes back and forth between kernel and
userspace instead of just copying the relevant bytes of the string.
This patch changes the prctl(PR_GET_NAME) to only copy back the null-terminated
string (with max. up to 16 chars including the trailing zero) to userspace and
thus avoids copying and leaking random trailing chars behind the process name.
Background:
The newest glibc testsuite includes a test which is implemented similiar to
this:
prctl(PR_SET_NAME, "thread name", 0, 0, 0);
char buffer[16] = { 0, };
prctl(PR_GET_NAME, buffer, 0, 0, 0);
char expected[16] = "thread name";
fail if memcmp(buffer, expected, 16) != 0;
The compiler may put the "thread name" string given in the PR_SET_NAME call
somewhere into memory and it's not guaranteed that trailing (up to a total of
16) chars behind that string has zeroes.
As such on the parisc architecture I've seen that the buffer[] array gets
filled on return of prctl(PR_GET_NAME) with such additional random bytes, e.g.:
"thread name\000@\032i\000"
74 68 72 65 61 64 20 6E 61 6D 65 00 40 1A 69 00
Unfortunatly the glibc testuite tests the full memory block of 16 bytes
and fails because it expects zeroed characters behind the process name.
In addition to fix the glibc testsuite, I suggest to fix the kernel function of
prctl(PR_GET_NAME) to just return the null-terminated process name.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
diff --git a/kernel/sys.c b/kernel/sys.c
index ef1a78f5d71c..af71412760be 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2367,7 +2367,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
break;
case PR_GET_NAME:
get_task_comm(comm, me);
- if (copy_to_user((char __user *)arg2, comm, sizeof(comm)))
+ if (copy_to_user((char __user *)arg2, comm, strlen(comm) + 1))
return -EFAULT;
break;
case PR_GET_ENDIAN:
next reply other threads:[~2021-08-27 9:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-27 9:28 Helge Deller [this message]
2021-08-27 10:31 ` [PATCH] Fix prctl(PR_GET_NAME) to not leak random trailing bytes Rasmus Villemoes
2021-08-27 12:18 ` Helge Deller
2021-08-28 17:39 ` Linus Torvalds
2021-08-28 19:35 ` Helge Deller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSiwLuE17BwRlI/d@ls3530 \
--to=deller@gmx.de \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=dave.anglin@bell.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.