From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC038C33C9B for ; Tue, 7 Jan 2020 21:25:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BF4812187F for ; Tue, 7 Jan 2020 21:25:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578432348; bh=oSVw/i/5zpP39arLMUvAIPUk4ziO5aQIjG1jYWIsv74=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=nWskSEPGhVj90UmcCkWc6bxTwKbs2doFjv+T6Fy4gfn2WiAkC5pA88Q0wa3dEC1e0 WX2NPNgCVaqtLqKsO+1Xw/0rsbeuIs3d2Fuo6uctLzdQs582MVrhW5IG23H0cDWui6 wUG9DCndVUn9c58zvHczUYhyXj30RI7TNph1Fnaw= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727910AbgAGVZn (ORCPT ); Tue, 7 Jan 2020 16:25:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:33042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728180AbgAGU7l (ORCPT ); Tue, 7 Jan 2020 15:59:41 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 36C582081E; Tue, 7 Jan 2020 20:59:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578430780; bh=oSVw/i/5zpP39arLMUvAIPUk4ziO5aQIjG1jYWIsv74=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wuauVopSBOE0aiHQCbgCgBnWjl4hudZ4eCx9fohhcyq+BlQkWum3hn7+FE/+knU6d /ZUMoSl8cvLSZ37bh/I32SQ6qLGWYrJl020l3ITgZIPlzfFjsx3AFps2zl7YbXoDZn rcDs9tuPVAhZMLAEqaRekKGxcgdShlM7yA0UWyD4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sargun Dhillon , Christian Brauner , Aleksa Sarai , Tycho Andersen , Kees Cook Subject: [PATCH 5.4 094/191] seccomp: Check that seccomp_notif is zeroed out by the user Date: Tue, 7 Jan 2020 21:53:34 +0100 Message-Id: <20200107205338.024294053@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200107205332.984228665@linuxfoundation.org> References: <20200107205332.984228665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Sargun Dhillon commit 2882d53c9c6f3b8311d225062522f03772cf0179 upstream. This patch is a small change in enforcement of the uapi for SECCOMP_IOCTL_NOTIF_RECV ioctl. Specifically, the datastructure which is passed (seccomp_notif) must be zeroed out. Previously any of its members could be set to nonsense values, and we would ignore it. This ensures all fields are set to their zero value. Signed-off-by: Sargun Dhillon Reviewed-by: Christian Brauner Reviewed-by: Aleksa Sarai Acked-by: Tycho Andersen Link: https://lore.kernel.org/r/20191229062451.9467-2-sargun@sargun.me Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman --- kernel/seccomp.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1015,6 +1015,13 @@ static long seccomp_notify_recv(struct s struct seccomp_notif unotif; ssize_t ret; + /* Verify that we're not given garbage to keep struct extensible. */ + ret = check_zeroed_user(buf, sizeof(unotif)); + if (ret < 0) + return ret; + if (!ret) + return -EINVAL; + memset(&unotif, 0, sizeof(unotif)); ret = down_interruptible(&filter->notif->request);