Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp889699imm; Wed, 26 Sep 2018 08:20:03 -0700 (PDT) X-Google-Smtp-Source: ACcGV60SZ1hA89Yrba6uhQ3JJNCAKb2dpLj1Gwbheb3wR9bYbXtSovOMW+FNonk3v1diuP7sG8tO X-Received: by 2002:a63:ed07:: with SMTP id d7-v6mr6206660pgi.429.1537975203712; Wed, 26 Sep 2018 08:20:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537975203; cv=none; d=google.com; s=arc-20160816; b=hNM/U26vrTR4BU+9cTlrHYD5fWr+rCrbw3qsm/UvLqYk49Z/ItAT4geNzRt+qIWaz2 mjqjbSUji7VPDl4KF27M8N+/jTgAlka17MNieh0kN5Q99ANRNAKA7IjD8KthICsG//fQ 7rqmFmsUcQzxHRFnVkdYBU0KslGuBiip7bW6sg/VT5R2j64zerYNqM3G9C5nr4rYKPkE 8ZUJ7I66yp9dKpF2vKXvc8zwekND9TMkn43cy+RuBlDU/RV/dHlidZTDTiVaV2AtpXJf vzwJUwBIObfgXUPfapiDLCsMTrW3HiepdsWkBrsoQoR1oOrhKMWxT9FvhaaGrmkNvp4d natA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=7tQVtrlmt+ZcRTy6M4J+EZAvS1Jrxpm9qeuU6XPxs0s=; b=ujHfeVA/4cbLxm6wrCp70JXL7YgsArY3gaqquxGnYTjbhifPj6+K5Y6MWCywCnwIsY kc9T55h0uAG/vrodZx1+MKQzs8BA/foSlerosHIBWPdIB5qUQFbsUzBzqEzK/3IB5c0Q 1kNXeU+TE24D1y7nIutII89qi/40/LLcMWeKYBZbNTxei4+J6t3wCoA5PXKj9xNl28Ba +uhwJBakNblOrt24EphvXfBeuLGCjVvpm9WAFgf9iBkWsmFwvRoKgDWuRlHFoZMiBOnC B4kPuUCch5dKpswIYQ6G9UhKuOPm0ukFwj/Sz11bXWFDbEyESe98z8Il9+xaKc8I5EKg MKSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=pBQHKtki; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si5478088plz.220.2018.09.26.08.19.46; Wed, 26 Sep 2018 08:20:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=pBQHKtki; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728373AbeIZVa4 (ORCPT + 99 others); Wed, 26 Sep 2018 17:30:56 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:38971 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727201AbeIZVa4 (ORCPT ); Wed, 26 Sep 2018 17:30:56 -0400 Received: by mail-qt1-f201.google.com with SMTP id f19-v6so10848722qtp.6 for ; Wed, 26 Sep 2018 08:17:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=7tQVtrlmt+ZcRTy6M4J+EZAvS1Jrxpm9qeuU6XPxs0s=; b=pBQHKtkiBTdlbON3S+mvhCOgpzrgIVcCnxMPJ6z2WsXdcUSW44DsL1Vt/ouObc8jJi 3ENPKi/zhMCcXVBuas8XBB1zjz3+6gfLuZwJotnxzPJWVjGFuuckZhfFI6+HSCNAe283 cJU9yM/2HGf6muyHxiIlTR0iLIhHbDVAVaTOaNElWr8Iy8rzY90gUXGDF30iqblg3wGD M3b7jAZjF/4QUt3KjFUumcI+T8mYlG7o7cmaOR19DTHhIyF5esuyYdo4Yulw4icpAkTd NkFIreacD5iGX42Be4DZVaLldjLxRO8e+fv5HfchpAj2j4YL/hqpzKJMLigo6T32jhaB 8vig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=7tQVtrlmt+ZcRTy6M4J+EZAvS1Jrxpm9qeuU6XPxs0s=; b=M/404Lgp5dFBW2dA0yJ7NJ50HNzEOkGKCJErBlLoj9lR0v9f1B58yGpRUc3GO4Gw4J hmYBvZYKt2Z3OuXfay41FkRRF86s4wfw+cPxiOjtymmjVcxaWNyVLTiTFjYIAJGT0ske +JiLAfxpGxFFMThmC7BdCWe8xr/GMfaVBhmIMjA11/zddoshYKdF2UcYOQhsErbPuRGw JR+oY41nwBv/FIqAmxBF4R/Ha9pYXdbR2rZclOkkKqGBG6hDvFeUfSfGCwnfOkTaH4a5 W1CQQbhSHFu/j7uBFwZOy5litXjXH4kDNzpov9VM95yAEvPqwUzGaRSoOf30HYeOtVdS SaPw== X-Gm-Message-State: ABuFfohlGdoohyanDDKPDyoI/UlFZjv8TN6ji1thNfLj66nDoix3CyFP zJX4DIe8iCob5fiUQ9wAlbSoLhtUrFI= X-Received: by 2002:ac8:4748:: with SMTP id k8-v6mr2096365qtp.58.1537975050623; Wed, 26 Sep 2018 08:17:30 -0700 (PDT) Date: Wed, 26 Sep 2018 17:17:25 +0200 Message-Id: <20180926151725.63120-1-glider@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog Subject: [PATCH] ptrace: zero out siginfo_t in ptrace_peek_siginfo() From: Alexander Potapenko To: oleg@redhat.com Cc: linux-kernel@vger.kernel.org, dvyukov@google.com, andreyknvl@google.com, w@1wt.eu, avagin@openvz.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KMSAN reported the following infoleak: ================================================================== BUG: KMSAN: kernel-infoleak in _copy_to_user+0x15d/0x1f0 ... Call Trace: __dump_stack lib/dump_stack.c:77 dump_stack+0x2f5/0x430 lib/dump_stack.c:113 kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:917 kmsan_internal_check_memory+0x17e/0x1f0 mm/kmsan/kmsan.c:981 kmsan_copy_to_user+0x79/0xc0 mm/kmsan/kmsan_hooks.c:482 _copy_to_user+0x15d/0x1f0 lib/usercopy.c:31 copy_to_user ./include/linux/uaccess.h:183 copy_siginfo_to_user+0x81/0x130 kernel/signal.c:2897 ptrace_peek_siginfo kernel/ptrace.c:741 ptrace_request+0x2278/0x2680 kernel/ptrace.c:912 arch_ptrace+0xbdd/0x11a0 arch/x86/kernel/ptrace.c:877 __do_sys_ptrace kernel/ptrace.c:1145 __se_sys_ptrace+0x422/0x920 kernel/ptrace.c:1110 __x64_sys_ptrace+0x56/0x70 kernel/ptrace.c:1110 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 arch/x86/entry/entry_64.S:240 ... Local variable description: ----info.i@ptrace_request Variable was created at: ptrace_peek_siginfo kernel/ptrace.c:712 ptrace_request+0xdf/0x2680 kernel/ptrace.c:912 arch_ptrace+0xbdd/0x11a0 arch/x86/kernel/ptrace.c:877 Bytes 16-127 of 128 are uninitialized Memory access starts at ffff88007af6fc90 ================================================================== when calling ptrace(PTRACE_PEEKSIGINFO) for a traceable child process with args = {-1, 0, 1}. Initialize the |info| structure to avoid leaking stack data. Signed-off-by: Alexander Potapenko Reported-by: syzbot+69c3bd9869b32e394c48@syzkaller.appspotmail.com Fixes: 84c751bd4aebb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") Cc: Andrey Vagin Cc: Oleg Nesterov Cc: Willy Tarreau --- kernel/ptrace.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 21fec73d45d4..92c3855c2b9c 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -712,6 +712,7 @@ static int ptrace_peek_siginfo(struct task_struct *child, siginfo_t info; s32 off = arg.off + i; + memset(&info, 0, sizeof(info)); spin_lock_irq(&child->sighand->siglock); list_for_each_entry(q, &pending->list, list) { if (!off--) { -- 2.19.0.605.g01d371f741-goog