Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp566301imm;
        Wed, 10 Oct 2018 00:17:14 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60SljvxyBpSHmB1h+fN/iZd14zpaqXJAvW6VaD3lRdluEdDWsn6g9FQ/YRwD7EdxyhpdnJo
X-Received: by 2002:a63:ea43:: with SMTP id l3-v6mr28939168pgk.427.1539155834187;
        Wed, 10 Oct 2018 00:17:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539155834; cv=none;
        d=google.com; s=arc-20160816;
        b=Tim4mxGeY2Fz1EPImy7BJb9c8PgLKjiltRnsm1zK1UBxoJ0EMa/1keWmqPebQms+hN
         elauiuDKsZOJW6DznxDMSoz+UvhG0rnxyzrK8xHCpgbxknsA2Eg6B326r7sxI1bv+I1U
         Ief6gDpbVt2y+CW07pGtwdikp1GmK2dxh8kUgR9j95ddr6CEQZ4nrLd96GJ/j1C8R5mY
         Ad3B/tqwZ2wLTzaxU6FaKBKOitogDfyo/FCkyo/AMyGrU1OoMgsjfMP8qbbs632L39r2
         SUCX0YAe1U1odiOct+cT5no4Sl+ikComQ6xAoyvs1GAu5lfTIZpWVVS6m0rCVfzgiRcl
         MA7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=JvjmEnQo5V0LqlPpEvTB8hjKWKaSDSBbvp0DdV6f1K4=;
        b=Tk3JFW1oDqdY4KACneTCUWza6E7vayTiRUqocL2PVB+2dXyrWVL80PyZSLBQ/ANU6c
         ZOG5qob5ibzPT6YfVgPdBxwN7J6pObrhjxR0OZXX9Lz8gi/+bERkgzuJHpL5JskKwak2
         +iYiV1f/ltkT6b4bTaVxB6ihJU30L1IsTE5AmzGR+me+hYHCjxGzPu06eF2VER1dFo1D
         j1is/xkFq1sB5oTm9hQZfzy3rspyw+1AOCPdEk6G6wtHS9VAUr7k0OEyxknfTNDBJAwn
         uRpMFPKl5DIysJxnZk2P6//JpUr8jr3N/Z+JPM5fb6daF9365WKKkNE/P1xHqa3Rc972
         ucgA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=KCrY5ctr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p16-v6si21191797pgb.404.2018.10.10.00.16.59;
        Wed, 10 Oct 2018 00:17:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=KCrY5ctr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726649AbeJJOhS (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Wed, 10 Oct 2018 10:37:18 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:39294 "EHLO
        mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726479AbeJJOhS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Oct 2018 10:37:18 -0400
Received: by mail-pg1-f194.google.com with SMTP id r9-v6so2071619pgv.6
        for <linux-kernel@vger.kernel.org>; Wed, 10 Oct 2018 00:16:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=JvjmEnQo5V0LqlPpEvTB8hjKWKaSDSBbvp0DdV6f1K4=;
        b=KCrY5ctrMmBrDkdV0e9+s/CI7X9cLOoWbtOWz8amfarhjUPyTZNqFj6+LR79D/3hWP
         3yv+DvhsyriNkjW3XFNHQUZrHMVrtAMcASC0p7mNLoFlfMUMozmE32imWRlXjq0onvaR
         71IOEY8bR6NbiPegiCv50/Lhqt5YosO6v7rFOmREjdQ2qHxnSBGdgul5qFQPtUh25e8F
         WEzSRi/9V71dEWGJ4OQbrTPMYOwJZq8d3mGaDGRJ1Sg4ImVNv+c5e3TT+e0txBufYEqB
         jJXfhPLKHJDBoM9WLx+9Ie9KOvWo+ZrMsBYu4FoCFZC16b4Zb2H3qSI66eSTmlXvAiWt
         0+DA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=JvjmEnQo5V0LqlPpEvTB8hjKWKaSDSBbvp0DdV6f1K4=;
        b=ZzTsH1waJLZeozIVOC3lxLi57WUnUDUUGMGbonK7QaqOxjQC3k3ScRQam0+MPKmtw/
         Ax6eZCfJVEKnyLZl+X9Ovq9UH0FSGW1TUdF3cJ7fJaT6p65tC2Ejp9EF+MEOwvJPtIsY
         KBoO/i2ewK+i43Oy9X87hUazSvhIyqPnT2LDD3fgHz4OiejMUrDqYjo3KNQ0xiUcDlx5
         5bw3xpJ5uwsv9BFwXAqa6W8EOBbpYwn7clgJYt+ez87wqEWEUdhqg74dtfsmr5lDMfj6
         xjeCxz8bG2O4GcOK155qJKroWaS9PpwRDllY9UTapy5Hbf5PWe3lBnCIge+BDJp7KOkv
         KRwA==
X-Gm-Message-State: ABuFfohUrDCEpC9ARdv1HYBBX1XeRzv5TlIFvYlLcxGeSnk7+iZAxMbw
        2A1PjZfUWsy5omXnx9r98e8=
X-Received: by 2002:a62:6506:: with SMTP id z6-v6mr18922104pfb.20.1539155789552;
        Wed, 10 Oct 2018 00:16:29 -0700 (PDT)
Received: from gmail.com (c-73-140-212-29.hsd1.wa.comcast.net. [73.140.212.29])
        by smtp.gmail.com with ESMTPSA id z26-v6sm19108462pfh.77.2018.10.10.00.16.28
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 10 Oct 2018 00:16:29 -0700 (PDT)
Date:   Wed, 10 Oct 2018 00:16:26 -0700
From:   Andrei Vagin <avagin@gmail.com>
To:     Alexander Potapenko <glider@google.com>
Cc:     oleg@redhat.com, linux-kernel@vger.kernel.org, dvyukov@google.com,
        andreyknvl@google.com, w@1wt.eu, avagin@openvz.org
Subject: Re: [PATCH] ptrace: zero out siginfo_t in ptrace_peek_siginfo()
Message-ID: <20181010071626.GA2351@gmail.com>
References: <20180926151725.63120-1-glider@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20180926151725.63120-1-glider@google.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Sep 26, 2018 at 05:17:25PM +0200, Alexander Potapenko wrote:
> KMSAN reported the following infoleak:
> 
> ==================================================================
> BUG: KMSAN: kernel-infoleak in _copy_to_user+0x15d/0x1f0
> ...
> Call Trace:
>  __dump_stack lib/dump_stack.c:77
>  dump_stack+0x2f5/0x430 lib/dump_stack.c:113
>  kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:917
>  kmsan_internal_check_memory+0x17e/0x1f0 mm/kmsan/kmsan.c:981
>  kmsan_copy_to_user+0x79/0xc0 mm/kmsan/kmsan_hooks.c:482
>  _copy_to_user+0x15d/0x1f0 lib/usercopy.c:31
>  copy_to_user ./include/linux/uaccess.h:183
>  copy_siginfo_to_user+0x81/0x130 kernel/signal.c:2897
>  ptrace_peek_siginfo kernel/ptrace.c:741
>  ptrace_request+0x2278/0x2680 kernel/ptrace.c:912
>  arch_ptrace+0xbdd/0x11a0 arch/x86/kernel/ptrace.c:877
>  __do_sys_ptrace kernel/ptrace.c:1145
>  __se_sys_ptrace+0x422/0x920 kernel/ptrace.c:1110
>  __x64_sys_ptrace+0x56/0x70 kernel/ptrace.c:1110
>  do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
>  entry_SYSCALL_64_after_hwframe+0x63/0xe7 arch/x86/entry/entry_64.S:240
> ...
> Local variable description: ----info.i@ptrace_request
> Variable was created at:
>  ptrace_peek_siginfo kernel/ptrace.c:712
>  ptrace_request+0xdf/0x2680 kernel/ptrace.c:912
>  arch_ptrace+0xbdd/0x11a0 arch/x86/kernel/ptrace.c:877
> 
> Bytes 16-127 of 128 are uninitialized
> Memory access starts at ffff88007af6fc90
> ==================================================================
> 
> when calling ptrace(PTRACE_PEEKSIGINFO) for a traceable child process
> with args = {-1, 0, 1}.
> 
> Initialize the |info| structure to avoid leaking stack data.


"info" is filled up by copy_siginfo(), which overwrites everything.

static inline void copy_siginfo(struct siginfo *to, const struct siginfo *from)
{
        memcpy(to, from, sizeof(*to));
}


so here is another problem. We handle arg.off incorrectly. The right fix
should look something like this:

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 21fec73d45d4..e336434a6f71 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -710,7 +710,7 @@ static int ptrace_peek_siginfo(struct task_struct *child,
 
        for (i = 0; i < arg.nr; ) {
                siginfo_t info;
-               s32 off = arg.off + i;
+               u64 off = arg.off + i;
 
                spin_lock_irq(&child->sighand->siglock);
                list_for_each_entry(q, &pending->list, list) {
@@ -721,7 +721,7 @@ static int ptrace_peek_siginfo(struct task_struct *child,
                }
                spin_unlock_irq(&child->sighand->siglock);
 
-               if (off >= 0) /* beyond the end of the list */
+               if (off + 1 != 0) /* beyond the end of the list */
                        break;
 
 #ifdef CONFIG_COMPAT


> 
> Signed-off-by: Alexander Potapenko <glider@google.com>
> Reported-by: syzbot+69c3bd9869b32e394c48@syzkaller.appspotmail.com
> Fixes: 84c751bd4aebb ("ptrace: add ability to retrieve signals without
> removing from a queue (v4)")
> Cc: Andrey Vagin <avagin@openvz.org>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: Willy Tarreau <w@1wt.eu>
> ---
>  kernel/ptrace.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 21fec73d45d4..92c3855c2b9c 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -712,6 +712,7 @@ static int ptrace_peek_siginfo(struct task_struct *child,
>  		siginfo_t info;
>  		s32 off = arg.off + i;
>  
> +		memset(&info, 0, sizeof(info));
>  		spin_lock_irq(&child->sighand->siglock);
>  		list_for_each_entry(q, &pending->list, list) {
>  			if (!off--) {
> -- 
> 2.19.0.605.g01d371f741-goog
>