[PATCH] ipc: explicitly clear stack memory for shminfo

[PATCH] ipc: explicitly clear stack memory for shminfo

[Kees Cook]

This fixes a kernel stack memory contents leak by explicitly clearing
the shminfo structure on the kernel stack before it is populated and
copied back to userspace.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Pekka Enberg <penberg@kernel.org>
---
 ipc/shm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index 7d3bb22..1d3d41f 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -531,6 +531,7 @@ static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminf
 	    {
 		struct shminfo out;
 
+		memset(&out, 0, sizeof(out));
 		if(in->shmmax > INT_MAX)
 			out.shmmax = INT_MAX;
 		else
-- 
1.7.2.3

Re: [PATCH] ipc: explicitly clear stack memory for shminfo

[Joe Perches]

On Tue, 2010-11-16 at 11:58 -0800, Kees Cook wrote:
> This fixes a kernel stack memory contents leak by explicitly clearing
> the shminfo structure on the kernel stack before it is populated and
> copied back to userspace.
> diff --git a/ipc/shm.c b/ipc/shm.c
> index 7d3bb22..1d3d41f 100644
> --- a/ipc/shm.c
> +++ b/ipc/shm.c
> @@ -531,6 +531,7 @@ static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminf
>  	    {
>  		struct shminfo out;
>  
> +		memset(&out, 0, sizeof(out));
>  		if(in->shmmax > INT_MAX)
>  			out.shmmax = INT_MAX;
>  		else

Hi Kees.

Trivial size optimization:

Perhaps it's better to use
	struct type var = {};
instead of
	struct type var;
	memset(&var, 0, sizeof(var));

At least for x86, gcc produces very slightly smaller code
when there are other automatic variables like:

Larger:
	struct type var;
	struct type var2;
	memset(&var, 0, sizeof(var));
Smaller:
	struct type var = {};
	struct type var2;

On the other hand, memset is more obvious.

Re: [PATCH] ipc: explicitly clear stack memory for shminfo

[Vasiliy Kulikov]

Hi Kees,

On Tue, Nov 16, 2010 at 11:58 -0800, Kees Cook wrote:
> This fixes a kernel stack memory contents leak by explicitly clearing
> the shminfo structure on the kernel stack before it is populated and
> copied back to userspace.
> 
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> Acked-by: Pekka Enberg <penberg@kernel.org>
> ---
>  ipc/shm.c |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/ipc/shm.c b/ipc/shm.c
> index 7d3bb22..1d3d41f 100644
> --- a/ipc/shm.c
> +++ b/ipc/shm.c
> @@ -531,6 +531,7 @@ static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminf
>  	    {
>  		struct shminfo out;
>  
> +		memset(&out, 0, sizeof(out));
>  		if(in->shmmax > INT_MAX)
>  			out.shmmax = INT_MAX;
>  		else
> -- 
> 1.7.2.3

Can you please clarify what fields (padding bytes?) are uninitialized
here?  I see this struct shminfo definition:

    /* Obsolete, used only for backwards compatibility */
    struct	shminfo {
        int shmmax;
        int shmmin;
        int shmmni;
        int shmseg;
        int shmall;
    };

And this filling:

		if(in->shmmax > INT_MAX)
			out.shmmax = INT_MAX;
		else
			out.shmmax = (int)in->shmmax;

		out.shmmin	= in->shmmin;
		out.shmmni	= in->shmmni;
		out.shmseg	= in->shmseg;
		out.shmall	= in->shmall; 

		return copy_to_user(buf, &out, sizeof(out));

As I see all five fields are set anyway, no padding bytes here, correct?


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Re: [PATCH] ipc: explicitly clear stack memory for shminfo

[Kees Cook]

Hi Vasiliy,

On Tue, Nov 16, 2010 at 11:16:20PM +0300, Vasiliy Kulikov wrote:
> Can you please clarify what fields (padding bytes?) are uninitialized
> here?  I see this struct shminfo definition:
> [snip]
> As I see all five fields are set anyway, no padding bytes here, correct?

You are correct, I was looking at shminfo64. Nevermind!

-Kees

-- 
Kees Cook
Ubuntu Security Team