From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrei Vagin <avagin@gmail.com>,
syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com,
"Eric W. Biederman" <ebiederm@xmission.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 44/84] [PATCH] signal/ptrace: Dont leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
Date: Thu, 20 Jun 2019 19:56:41 +0200 [thread overview]
Message-ID: <20190620174345.146160824@linuxfoundation.org> (raw)
In-Reply-To: <20190620174337.538228162@linuxfoundation.org>
[ Upstream commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 ]
Recently syzbot in conjunction with KMSAN reported that
ptrace_peek_siginfo can copy an uninitialized siginfo to userspace.
Inspecting ptrace_peek_siginfo confirms this.
The problem is that off when initialized from args.off can be
initialized to a negaive value. At which point the "if (off >= 0)"
test to see if off became negative fails because off started off
negative.
Prevent the core problem by adding a variable found that is only true
if a siginfo is found and copied to a temporary in preparation for
being copied to userspace.
Prevent args.off from being truncated when being assigned to off by
testing that off is <= the maximum possible value of off. Convert off
to an unsigned long so that we should not have to truncate args.off,
we have well defined overflow behavior so if we add another check we
won't risk fighting undefined compiler behavior, and so that we have a
type whose maximum value is easy to test for.
Cc: Andrei Vagin <avagin@gmail.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/ptrace.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 8303874c2a06..bb6db489833f 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -673,6 +673,10 @@ static int ptrace_peek_siginfo(struct task_struct *child,
if (arg.nr < 0)
return -EINVAL;
+ /* Ensure arg.off fits in an unsigned long */
+ if (arg.off > ULONG_MAX)
+ return 0;
+
if (arg.flags & PTRACE_PEEKSIGINFO_SHARED)
pending = &child->signal->shared_pending;
else
@@ -680,18 +684,20 @@ static int ptrace_peek_siginfo(struct task_struct *child,
for (i = 0; i < arg.nr; ) {
siginfo_t info;
- s32 off = arg.off + i;
+ unsigned long off = arg.off + i;
+ bool found = false;
spin_lock_irq(&child->sighand->siglock);
list_for_each_entry(q, &pending->list, list) {
if (!off--) {
+ found = true;
copy_siginfo(&info, &q->info);
break;
}
}
spin_unlock_irq(&child->sighand->siglock);
- if (off >= 0) /* beyond the end of the list */
+ if (!found) /* beyond the end of the list */
break;
#ifdef CONFIG_COMPAT
--
2.20.1
next prev parent reply other threads:[~2019-06-20 18:31 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 17:55 [PATCH 4.4 00/84] 4.4.183-stable review Greg Kroah-Hartman
2019-06-20 17:55 ` [PATCH 4.4 01/84] fs/fat/file.c: issue flush after the writeback of FAT Greg Kroah-Hartman
2019-06-20 17:55 ` [PATCH 4.4 02/84] sysctl: return -EINVAL if val violates minmax Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 03/84] ipc: prevent lockup on alloc_msg and free_msg Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 04/84] hugetlbfs: on restore reserve error path retain subpool reservation Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 05/84] mm/cma.c: fix crash on CMA allocation if bitmap allocation fails Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 06/84] mm/cma_debug.c: fix the break condition in cma_maxchunk_get() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 07/84] kernel/sys.c: prctl: fix false positive in validate_prctl_map() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 08/84] mfd: intel-lpss: Set the device in reset state when init Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 09/84] mfd: twl6040: Fix device init errors for ACCCTL register Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 10/84] perf/x86/intel: Allow PEBS multi-entry in watermark mode Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 11/84] drm/bridge: adv7511: Fix low refresh rate selection Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 12/84] ntp: Allow TAI-UTC offset to be set to zero Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 13/84] f2fs: fix to avoid panic in do_recover_data() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 14/84] f2fs: fix to do sanity check on valid block count of segment Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 15/84] iommu/vt-d: Set intel_iommu_gfx_mapped correctly Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 16/84] ALSA: hda - Register irq handler after the chip initialization Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 17/84] nvmem: core: fix read buffer in place Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 18/84] fuse: retrieve: cap requested size to negotiated max_write Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 19/84] nfsd: allow fh_want_write to be called twice Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 20/84] x86/PCI: Fix PCI IRQ routing table memory leak Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 21/84] platform/chrome: cros_ec_proto: check for NULL transfer function Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 22/84] soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 23/84] clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 24/84] ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 25/84] ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" " Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 26/84] ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG " Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 27/84] PCI: rpadlpar: Fix leaked device_node references in add/remove paths Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 28/84] PCI: rcar: Fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 29/84] video: hgafb: fix " Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 30/84] video: imsttfb: fix potential NULL pointer dereferences Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 31/84] PCI: xilinx: Check for __get_free_pages() failure Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 32/84] gpio: gpio-omap: add check for off wake capable gpios Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 33/84] dmaengine: idma64: Use actual device for DMA transfers Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 34/84] pwm: tiehrpwm: Update shadow register for disabling PWMs Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 35/84] ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 36/84] pwm: Fix deadlock warning when removing PWM device Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 37/84] ARM: exynos: Fix undefined instruction during Exynos5422 resume Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 38/84] futex: Fix futex lock the wrong page Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 39/84] Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections" Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 40/84] ALSA: seq: Cover unsubscribe_port() in list_mutex Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 41/84] libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 42/84] mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 43/84] fs/ocfs2: fix race in ocfs2_dentry_attach_lock() Greg Kroah-Hartman
2019-06-20 17:56 ` Greg Kroah-Hartman [this message]
2019-06-20 17:56 ` [PATCH 4.4 45/84] ptrace: restore smp_rmb() in __ptrace_may_access() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 46/84] i2c: acorn: fix i2c warning Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 47/84] bcache: fix stack corruption by PRECEDING_KEY() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 48/84] cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 49/84] ASoC: cs42xx8: Add regcache mask dirty Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 50/84] Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 51/84] scsi: lpfc: add check for loss of ndlp when sending RRQ Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 52/84] scsi: bnx2fc: fix incorrect cast to u64 on shift operation Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 53/84] usbnet: ipheth: fix racing condition Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 54/84] KVM: x86/pmu: do not mask the value that is written to fixed PMUs Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 55/84] KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 56/84] drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 57/84] drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define() Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 58/84] USB: Fix chipmunk-like voice when using Logitech C270 for recording audio Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 59/84] USB: usb-storage: Add new ID to ums-realtek Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 60/84] USB: serial: pl2303: add Allied Telesis VT-Kit3 Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 61/84] USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode Greg Kroah-Hartman
2019-06-20 17:56 ` [PATCH 4.4 62/84] USB: serial: option: add Telit 0x1260 and 0x1261 compositions Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 63/84] ax25: fix inconsistent lock state in ax25_destroy_timer Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 64/84] be2net: Fix number of Rx queues used for flow hashing Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 65/84] ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 66/84] lapb: fixed leak of control-blocks Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 67/84] neigh: fix use-after-free read in pneigh_get_next Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 68/84] sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 69/84] mISDN: make sure device name is NUL terminated Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 70/84] x86/CPU/AMD: Dont force the CPB cap when running under a hypervisor Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 71/84] perf/ring_buffer: Fix exposing a temporarily decreased data_head Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 72/84] perf/ring_buffer: Add ordering to rb->nest increment Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 73/84] gpio: fix gpio-adp5588 build errors Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 74/84] net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 75/84] i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 76/84] configfs: Fix use-after-free when accessing sd->s_dentry Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 77/84] ia64: fix build errors by exporting paddr_to_nid() Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 78/84] KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 79/84] net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 80/84] scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route() Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 81/84] scsi: libsas: delete sas port if expander discover failed Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 82/84] Revert "crypto: crypto4xx - properly set IV after de- and encrypt" Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 83/84] coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping Greg Kroah-Hartman
2019-06-20 17:57 ` [PATCH 4.4 84/84] Abort file_remove_privs() for non-reg. files Greg Kroah-Hartman
2019-06-20 22:11 ` [PATCH 4.4 00/84] 4.4.183-stable review kernelci.org bot
2019-06-21 3:57 ` Naresh Kamboju
2019-06-22 0:43 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620174345.146160824@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=avagin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).