* Re: siginfo memory leak?
2016-05-23 11:16 siginfo memory leak? Michal Hocko
@ 2016-05-23 12:43 ` Martin Schwidefsky
2016-05-23 13:05 ` Michal Hocko
2016-05-23 13:43 ` [PATCH] s390: fix info leak in do_sigsegv Michal Hocko
` (2 subsequent siblings)
3 siblings, 1 reply; 11+ messages in thread
From: Martin Schwidefsky @ 2016-05-23 12:43 UTC (permalink / raw)
To: Michal Hocko
Cc: Oleg Nesterov, Aleksa Sarai, LKML, Heiko Carstens, linux-s390,
Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On Mon, 23 May 2016 13:16:30 +0200
Michal Hocko <mhocko@kernel.org> wrote:
> Hi,
> Aleksa has reported that strace tells a bogus si_errno while debugging
> something on s390:
> [pid 20799] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_errno=2510266, si_addr=0x100000000000000}
That is a bug.
> A quick look into do_sigsegv shows that siginfo is not completely
> initialized and it indeed might leak the previous stack content
> which will later gets to userspace. So unless I am missing something
> we need something like the trivial patch below. I have tried to look
> around and it seems that this is not the only place...
Indeed, for s390 four bytes of the kernel stack gets leaked to user space.
That needs fixing.
> x86 do_error_trap doesn't do any initialization at all! It is hard to
> tell other places. I have checked some and most of them do some
> (partial) initialization.
>
> So my primary question is whether we want to fix all those potential
> places one by one or come up with something more systematic (e.g. a
> macro to declare on stack siginfo). Btw. I am not even sure partial
> initializations are correct and memset should be used unconditioanlly
> (e.g. fill_sigtrap_info does do that).
> ---
> diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> index 791a4146052c..41913fac14e4 100644
> --- a/arch/s390/mm/fault.c
> +++ b/arch/s390/mm/fault.c
> @@ -248,6 +248,7 @@ static noinline void do_sigsegv(struct pt_regs *regs, int si_code)
> si.si_signo = SIGSEGV;
> si.si_code = si_code;
> si.si_addr = (void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK);
> + si.si_errno = 0;
> force_sig_info(SIGSEGV, &si, current);
> }
>
The other for place where s390 calls force_sig_info are correct.
Only do_sigsegv misses the clear of si_errno.
> diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> index ade185a46b1d..f8b66ddbb47d 100644
> --- a/arch/x86/kernel/traps.c
> +++ b/arch/x86/kernel/traps.c
> @@ -286,6 +286,7 @@ static void do_error_trap(struct pt_regs *regs, long error_code, char *str,
>
> if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, signr) !=
> NOTIFY_STOP) {
> + memset(&info, 0, sizeof(info));
> conditional_sti(regs);
> do_trap(trapnr, signr, str, regs, error_code,
> fill_trap_info(regs, signr, trapnr, &info));
>
--
blue skies,
Martin.
"Reality continues to ruin my life." - Calvin.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: siginfo memory leak?
2016-05-23 12:43 ` Martin Schwidefsky
@ 2016-05-23 13:05 ` Michal Hocko
2016-05-23 13:29 ` Martin Schwidefsky
0 siblings, 1 reply; 11+ messages in thread
From: Michal Hocko @ 2016-05-23 13:05 UTC (permalink / raw)
To: Martin Schwidefsky
Cc: Oleg Nesterov, Aleksa Sarai, LKML, Heiko Carstens, linux-s390,
Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On Mon 23-05-16 14:43:19, Martin Schwidefsky wrote:
> On Mon, 23 May 2016 13:16:30 +0200
[...]
> > diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> > index 791a4146052c..41913fac14e4 100644
> > --- a/arch/s390/mm/fault.c
> > +++ b/arch/s390/mm/fault.c
> > @@ -248,6 +248,7 @@ static noinline void do_sigsegv(struct pt_regs *regs, int si_code)
> > si.si_signo = SIGSEGV;
> > si.si_code = si_code;
> > si.si_addr = (void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK);
> > + si.si_errno = 0;
> > force_sig_info(SIGSEGV, &si, current);
> > }
> >
>
> The other for place where s390 calls force_sig_info are correct.
> Only do_sigsegv misses the clear of si_errno.
I can send a full patch with the proper changelog but I am really
wondering whether we can plug this in a more systematic way. If you
prefer a small s390 specific I will do it right away though. Same
applies to x86 one.
> > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
> > index ade185a46b1d..f8b66ddbb47d 100644
> > --- a/arch/x86/kernel/traps.c
> > +++ b/arch/x86/kernel/traps.c
> > @@ -286,6 +286,7 @@ static void do_error_trap(struct pt_regs *regs, long error_code, char *str,
> >
> > if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, signr) !=
> > NOTIFY_STOP) {
> > + memset(&info, 0, sizeof(info));
> > conditional_sti(regs);
> > do_trap(trapnr, signr, str, regs, error_code,
> > fill_trap_info(regs, signr, trapnr, &info));
> >
>
> --
> blue skies,
> Martin.
>
> "Reality continues to ruin my life." - Calvin.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: siginfo memory leak?
2016-05-23 13:05 ` Michal Hocko
@ 2016-05-23 13:29 ` Martin Schwidefsky
2016-05-23 13:34 ` Michal Hocko
0 siblings, 1 reply; 11+ messages in thread
From: Martin Schwidefsky @ 2016-05-23 13:29 UTC (permalink / raw)
To: Michal Hocko
Cc: Oleg Nesterov, Aleksa Sarai, LKML, Heiko Carstens, linux-s390,
Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On Mon, 23 May 2016 15:05:38 +0200
Michal Hocko <mhocko@kernel.org> wrote:
> On Mon 23-05-16 14:43:19, Martin Schwidefsky wrote:
> > On Mon, 23 May 2016 13:16:30 +0200
> [...]
> > > diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> > > index 791a4146052c..41913fac14e4 100644
> > > --- a/arch/s390/mm/fault.c
> > > +++ b/arch/s390/mm/fault.c
> > > @@ -248,6 +248,7 @@ static noinline void do_sigsegv(struct pt_regs *regs, int si_code)
> > > si.si_signo = SIGSEGV;
> > > si.si_code = si_code;
> > > si.si_addr = (void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK);
> > > + si.si_errno = 0;
> > > force_sig_info(SIGSEGV, &si, current);
> > > }
> > >
> >
> > The other for place where s390 calls force_sig_info are correct.
> > Only do_sigsegv misses the clear of si_errno.
>
> I can send a full patch with the proper changelog but I am really
> wondering whether we can plug this in a more systematic way. If you
> prefer a small s390 specific I will do it right away though. Same
> applies to x86 one.
Why not fix the bug with a small patch and then provide the "big"
solution? A potential information leak is not good ..
--
blue skies,
Martin.
"Reality continues to ruin my life." - Calvin.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: siginfo memory leak?
2016-05-23 13:29 ` Martin Schwidefsky
@ 2016-05-23 13:34 ` Michal Hocko
0 siblings, 0 replies; 11+ messages in thread
From: Michal Hocko @ 2016-05-23 13:34 UTC (permalink / raw)
To: Martin Schwidefsky
Cc: Oleg Nesterov, Aleksa Sarai, LKML, Heiko Carstens, linux-s390,
Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On Mon 23-05-16 15:29:21, Martin Schwidefsky wrote:
> On Mon, 23 May 2016 15:05:38 +0200
> Michal Hocko <mhocko@kernel.org> wrote:
>
> > On Mon 23-05-16 14:43:19, Martin Schwidefsky wrote:
> > > On Mon, 23 May 2016 13:16:30 +0200
> > [...]
> > > > diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> > > > index 791a4146052c..41913fac14e4 100644
> > > > --- a/arch/s390/mm/fault.c
> > > > +++ b/arch/s390/mm/fault.c
> > > > @@ -248,6 +248,7 @@ static noinline void do_sigsegv(struct pt_regs *regs, int si_code)
> > > > si.si_signo = SIGSEGV;
> > > > si.si_code = si_code;
> > > > si.si_addr = (void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK);
> > > > + si.si_errno = 0;
> > > > force_sig_info(SIGSEGV, &si, current);
> > > > }
> > > >
> > >
> > > The other for place where s390 calls force_sig_info are correct.
> > > Only do_sigsegv misses the clear of si_errno.
> >
> > I can send a full patch with the proper changelog but I am really
> > wondering whether we can plug this in a more systematic way. If you
> > prefer a small s390 specific I will do it right away though. Same
> > applies to x86 one.
>
> Why not fix the bug with a small patch and then provide the "big"
> solution? A potential information leak is not good ..
Fair enough. Will send two patches for the places which do not do the
proper initialization.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] s390: fix info leak in do_sigsegv
2016-05-23 11:16 siginfo memory leak? Michal Hocko
2016-05-23 12:43 ` Martin Schwidefsky
@ 2016-05-23 13:43 ` Michal Hocko
2016-05-23 14:47 ` Martin Schwidefsky
2016-05-23 13:54 ` [PATCH] x86: fix potential memleak in do_error_trap Michal Hocko
2016-05-23 15:42 ` siginfo memory leak? Oleg Nesterov
3 siblings, 1 reply; 11+ messages in thread
From: Michal Hocko @ 2016-05-23 13:43 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Aleksa Sarai, LKML, Martin Schwidefsky, Heiko Carstens,
linux-s390, Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
OK, Martin would prefer a simple patch so here we go.
---
>From de1ad037f3181e795ef0e66a61b8fbe1157f66cc Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: Mon, 23 May 2016 15:35:51 +0200
Subject: [PATCH] s390: fix info leak in do_sigsegv
Aleksa has reported incorrect si_errno value when stracing task which
received SIGSEGV:
[pid 20799] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_errno=2510266, si_addr=0x100000000000000}
The reason seems to be that do_sigsegv is not initializing siginfo
structure defined on the stack completely so it will leak 4B of
the previous stack content. Fix it simply by initializing si_errno
to 0 (same as do_sigbus does already).
Cc: stable # introduced pre-git times
Reported-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
arch/s390/mm/fault.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
index 7a3144017301..19288c1b36d3 100644
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -250,6 +250,7 @@ static noinline void do_sigsegv(struct pt_regs *regs, int si_code)
report_user_fault(regs, SIGSEGV, 1);
si.si_signo = SIGSEGV;
+ si.si_errno = 0;
si.si_code = si_code;
si.si_addr = (void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK);
force_sig_info(SIGSEGV, &si, current);
--
2.8.1
--
Michal Hocko
SUSE Labs
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: [PATCH] s390: fix info leak in do_sigsegv
2016-05-23 13:43 ` [PATCH] s390: fix info leak in do_sigsegv Michal Hocko
@ 2016-05-23 14:47 ` Martin Schwidefsky
0 siblings, 0 replies; 11+ messages in thread
From: Martin Schwidefsky @ 2016-05-23 14:47 UTC (permalink / raw)
To: Michal Hocko
Cc: Oleg Nesterov, Aleksa Sarai, LKML, Heiko Carstens, linux-s390,
Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On Mon, 23 May 2016 15:43:20 +0200
Michal Hocko <mhocko@kernel.org> wrote:
> OK, Martin would prefer a simple patch so here we go.
> ---
> From de1ad037f3181e795ef0e66a61b8fbe1157f66cc Mon Sep 17 00:00:00 2001
> From: Michal Hocko <mhocko@suse.com>
> Date: Mon, 23 May 2016 15:35:51 +0200
> Subject: [PATCH] s390: fix info leak in do_sigsegv
>
> Aleksa has reported incorrect si_errno value when stracing task which
> received SIGSEGV:
> [pid 20799] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_errno=2510266, si_addr=0x100000000000000}
>
> The reason seems to be that do_sigsegv is not initializing siginfo
> structure defined on the stack completely so it will leak 4B of
> the previous stack content. Fix it simply by initializing si_errno
> to 0 (same as do_sigbus does already).
>
> Cc: stable # introduced pre-git times
> Reported-by: Aleksa Sarai <asarai@suse.de>
> Signed-off-by: Michal Hocko <mhocko@suse.com>
> ---
> arch/s390/mm/fault.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
> index 7a3144017301..19288c1b36d3 100644
> --- a/arch/s390/mm/fault.c
> +++ b/arch/s390/mm/fault.c
> @@ -250,6 +250,7 @@ static noinline void do_sigsegv(struct pt_regs *regs, int si_code)
>
> report_user_fault(regs, SIGSEGV, 1);
> si.si_signo = SIGSEGV;
> + si.si_errno = 0;
> si.si_code = si_code;
> si.si_addr = (void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK);
> force_sig_info(SIGSEGV, &si, current);
Applied to linux-s390:fixes. Thanks.
--
blue skies,
Martin.
"Reality continues to ruin my life." - Calvin.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] x86: fix potential memleak in do_error_trap
2016-05-23 11:16 siginfo memory leak? Michal Hocko
2016-05-23 12:43 ` Martin Schwidefsky
2016-05-23 13:43 ` [PATCH] s390: fix info leak in do_sigsegv Michal Hocko
@ 2016-05-23 13:54 ` Michal Hocko
2016-05-23 15:33 ` Oleg Nesterov
2016-05-23 15:42 ` siginfo memory leak? Oleg Nesterov
3 siblings, 1 reply; 11+ messages in thread
From: Michal Hocko @ 2016-05-23 13:54 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Aleksa Sarai, LKML, Martin Schwidefsky, Heiko Carstens,
linux-s390, Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
And here is the x86 one. I haven't found others so far but I haven't
checked other architectures and I might have missed some callpaths for
x86 as well. Also please note this hasn't been tested properly and
it is based on the code reading.
---
>From fa8e84058c243f81a49c847624daaf935efdeb5a Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: Mon, 23 May 2016 15:47:28 +0200
Subject: [PATCH] x86: fix potential memleak in do_error_trap
do_error_trap defines on stack siginfo structure which is then sent down
to do_trap -> force_sig_info without initializing it. __send_signal ->
copy_siginfo will copy the content for later use when the signal is
dequeued. This information might later leak into userspace. Fix it by
clearing the whole siginfo in do_error_trap before sending it to
do_trap.
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
arch/x86/kernel/traps.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index d1590486204a..945b4dfc02e6 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -271,6 +271,7 @@ static void do_error_trap(struct pt_regs *regs, long error_code, char *str,
if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, signr) !=
NOTIFY_STOP) {
+ memset(&info, 0, sizeof(info));
cond_local_irq_enable(regs);
do_trap(trapnr, signr, str, regs, error_code,
fill_trap_info(regs, signr, trapnr, &info));
--
2.8.1
--
Michal Hocko
SUSE Labs
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: [PATCH] x86: fix potential memleak in do_error_trap
2016-05-23 13:54 ` [PATCH] x86: fix potential memleak in do_error_trap Michal Hocko
@ 2016-05-23 15:33 ` Oleg Nesterov
2016-05-23 17:47 ` Michal Hocko
0 siblings, 1 reply; 11+ messages in thread
From: Oleg Nesterov @ 2016-05-23 15:33 UTC (permalink / raw)
To: Michal Hocko
Cc: Aleksa Sarai, LKML, Martin Schwidefsky, Heiko Carstens,
linux-s390, Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On 05/23, Michal Hocko wrote:
>
> @@ -271,6 +271,7 @@ static void do_error_trap(struct pt_regs *regs, long error_code, char *str,
>
> if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, signr) !=
> NOTIFY_STOP) {
> + memset(&info, 0, sizeof(info));
> cond_local_irq_enable(regs);
> do_trap(trapnr, signr, str, regs, error_code,
> fill_trap_info(regs, signr, trapnr, &info));
at first glance fill_trap_info() initializes everything we will copy
to user-space in copy_siginfo_to_user(__SI_FAULT).
But even if not, shuldn't we change fill_trap_info() instead ?
Oleg.
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH] x86: fix potential memleak in do_error_trap
2016-05-23 15:33 ` Oleg Nesterov
@ 2016-05-23 17:47 ` Michal Hocko
0 siblings, 0 replies; 11+ messages in thread
From: Michal Hocko @ 2016-05-23 17:47 UTC (permalink / raw)
To: Oleg Nesterov
Cc: Aleksa Sarai, LKML, Martin Schwidefsky, Heiko Carstens,
linux-s390, Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On Mon 23-05-16 17:33:55, Oleg Nesterov wrote:
> On 05/23, Michal Hocko wrote:
> >
> > @@ -271,6 +271,7 @@ static void do_error_trap(struct pt_regs *regs, long error_code, char *str,
> >
> > if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, signr) !=
> > NOTIFY_STOP) {
> > + memset(&info, 0, sizeof(info));
> > cond_local_irq_enable(regs);
> > do_trap(trapnr, signr, str, regs, error_code,
> > fill_trap_info(regs, signr, trapnr, &info));
>
> at first glance fill_trap_info() initializes everything we will copy
> to user-space in copy_siginfo_to_user(__SI_FAULT).
Ohh, you are right. Dunno, how I managed to miss it. Sorry about the
noise.
> But even if not, shuldn't we change fill_trap_info() instead ?
Yes that would be the proper place.
--
Michal Hocko
SUSE Labs
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: siginfo memory leak?
2016-05-23 11:16 siginfo memory leak? Michal Hocko
` (2 preceding siblings ...)
2016-05-23 13:54 ` [PATCH] x86: fix potential memleak in do_error_trap Michal Hocko
@ 2016-05-23 15:42 ` Oleg Nesterov
3 siblings, 0 replies; 11+ messages in thread
From: Oleg Nesterov @ 2016-05-23 15:42 UTC (permalink / raw)
To: Michal Hocko
Cc: Aleksa Sarai, LKML, Martin Schwidefsky, Heiko Carstens,
linux-s390, Ingo Molnar, Thomas Gleixner, H. Peter Anvin, x86
On 05/23, Michal Hocko wrote:
>
> x86 do_error_trap doesn't do any initialization at all!
it actually does, please see fill_trap_info() although I'll try to
re-check if it initializes everything we need.
Oleg.
^ permalink raw reply [flat|nested] 11+ messages in thread