From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2391C48BE3 for ; Thu, 20 Jun 2019 18:31:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D26E720665 for ; Thu, 20 Jun 2019 18:31:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561055480; bh=6yfBweDMavrjQqUXOFRZcURUX9Y3ob7CrEmf/vryeI4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=0YzntIlLHv6sI8iRu/CP5GMfhXdKALDp0gOs/syDBxRW3ZXVu+QXPoV3faQvgbWt1 pM9kCbMx9Mj1Jrg8PDRf0840xyW0TwupkZoLpJkXxBy3uocx+AsbsI9Txm072tazGT UYdKFOyeOZfIu9X2/kjqWHrlqe9FluYAFB8ua4Is= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726747AbfFTR7z (ORCPT ); Thu, 20 Jun 2019 13:59:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:48096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726735AbfFTR7y (ORCPT ); Thu, 20 Jun 2019 13:59:54 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1998A2089C; Thu, 20 Jun 2019 17:59:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561053594; bh=6yfBweDMavrjQqUXOFRZcURUX9Y3ob7CrEmf/vryeI4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yD1OLkLruBBN5l9ED2ZddEEEEPy5jLRzzzyv01uL80GLY/OIX4R7ngl7FiCkCvfC0 C0rf5xuZidmHd6EwTUhBOQh3xDTt1HK2JF24LixzQIWv6XiyMY6WgXg5a5MBO5GKT8 mnUs+2W7YrwyOJy50COAlVUtPusgUUSaDwV+3pFY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrei Vagin , syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com, "Eric W. Biederman" , Sasha Levin Subject: [PATCH 4.4 44/84] [PATCH] signal/ptrace: Dont leak unitialized kernel memory with PTRACE_PEEK_SIGINFO Date: Thu, 20 Jun 2019 19:56:41 +0200 Message-Id: <20190620174345.146160824@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190620174337.538228162@linuxfoundation.org> References: <20190620174337.538228162@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org [ Upstream commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 ] Recently syzbot in conjunction with KMSAN reported that ptrace_peek_siginfo can copy an uninitialized siginfo to userspace. Inspecting ptrace_peek_siginfo confirms this. The problem is that off when initialized from args.off can be initialized to a negaive value. At which point the "if (off >= 0)" test to see if off became negative fails because off started off negative. Prevent the core problem by adding a variable found that is only true if a siginfo is found and copied to a temporary in preparation for being copied to userspace. Prevent args.off from being truncated when being assigned to off by testing that off is <= the maximum possible value of off. Convert off to an unsigned long so that we should not have to truncate args.off, we have well defined overflow behavior so if we add another check we won't risk fighting undefined compiler behavior, and so that we have a type whose maximum value is easy to test for. Cc: Andrei Vagin Cc: stable@vger.kernel.org Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin --- kernel/ptrace.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 8303874c2a06..bb6db489833f 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -673,6 +673,10 @@ static int ptrace_peek_siginfo(struct task_struct *child, if (arg.nr < 0) return -EINVAL; + /* Ensure arg.off fits in an unsigned long */ + if (arg.off > ULONG_MAX) + return 0; + if (arg.flags & PTRACE_PEEKSIGINFO_SHARED) pending = &child->signal->shared_pending; else @@ -680,18 +684,20 @@ static int ptrace_peek_siginfo(struct task_struct *child, for (i = 0; i < arg.nr; ) { siginfo_t info; - s32 off = arg.off + i; + unsigned long off = arg.off + i; + bool found = false; spin_lock_irq(&child->sighand->siglock); list_for_each_entry(q, &pending->list, list) { if (!off--) { + found = true; copy_siginfo(&info, &q->info); break; } } spin_unlock_irq(&child->sighand->siglock); - if (off >= 0) /* beyond the end of the list */ + if (!found) /* beyond the end of the list */ break; #ifdef CONFIG_COMPAT -- 2.20.1