From: Helge Deller <deller@gmx.de>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org
Cc: linux-parisc@vger.kernel.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
John David Anglin <dave.anglin@bell.net>
Subject: [PATCH] Fix prctl(PR_GET_NAME) to not leak random trailing bytes
Date: Fri, 27 Aug 2021 11:28:14 +0200 [thread overview]
Message-ID: <YSiwLuE17BwRlI/d@ls3530> (raw)
The prctl(PR_GET_NAME) and prctl(PR_SET_NAME) syscalls are used to set and
retrieve the process name. Those kernel functions are currently implemented to
always copy the full array of 16-bytes back and forth between kernel and
userspace instead of just copying the relevant bytes of the string.
This patch changes the prctl(PR_GET_NAME) to only copy back the null-terminated
string (with max. up to 16 chars including the trailing zero) to userspace and
thus avoids copying and leaking random trailing chars behind the process name.
Background:
The newest glibc testsuite includes a test which is implemented similiar to
this:
prctl(PR_SET_NAME, "thread name", 0, 0, 0);
char buffer[16] = { 0, };
prctl(PR_GET_NAME, buffer, 0, 0, 0);
char expected[16] = "thread name";
fail if memcmp(buffer, expected, 16) != 0;
The compiler may put the "thread name" string given in the PR_SET_NAME call
somewhere into memory and it's not guaranteed that trailing (up to a total of
16) chars behind that string has zeroes.
As such on the parisc architecture I've seen that the buffer[] array gets
filled on return of prctl(PR_GET_NAME) with such additional random bytes, e.g.:
"thread name\000@\032i\000"
74 68 72 65 61 64 20 6E 61 6D 65 00 40 1A 69 00
Unfortunatly the glibc testuite tests the full memory block of 16 bytes
and fails because it expects zeroed characters behind the process name.
In addition to fix the glibc testsuite, I suggest to fix the kernel function of
prctl(PR_GET_NAME) to just return the null-terminated process name.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
diff --git a/kernel/sys.c b/kernel/sys.c
index ef1a78f5d71c..af71412760be 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2367,7 +2367,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
break;
case PR_GET_NAME:
get_task_comm(comm, me);
- if (copy_to_user((char __user *)arg2, comm, sizeof(comm)))
+ if (copy_to_user((char __user *)arg2, comm, strlen(comm) + 1))
return -EFAULT;
break;
case PR_GET_ENDIAN:
next reply other threads:[~2021-08-27 9:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-27 9:28 Helge Deller [this message]
2021-08-27 10:31 ` [PATCH] Fix prctl(PR_GET_NAME) to not leak random trailing bytes Rasmus Villemoes
2021-08-27 12:18 ` Helge Deller
2021-08-28 17:39 ` Linus Torvalds
2021-08-28 19:35 ` Helge Deller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSiwLuE17BwRlI/d@ls3530 \
--to=deller@gmx.de \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=dave.anglin@bell.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).