Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4941845imc; Mon, 25 Feb 2019 14:06:14 -0800 (PST) X-Google-Smtp-Source: AHgI3IbgkFMiLzWLxvU7H1G1bgXm6tH7NLHLJHVYhxVrJ706ck6xEkjkY+5rOqtTQrcBvyqFAA77 X-Received: by 2002:a62:57d7:: with SMTP id i84mr22606408pfj.125.1551132374013; Mon, 25 Feb 2019 14:06:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551132374; cv=none; d=google.com; s=arc-20160816; b=TeANpBVWVi+86907f7QXHomYZudgeDaQ03nD+Qd7ySpGcW3Ykddu/kMAnDIFrxt4nH 1NeUbusGif5MyuIVOQ7HXQ93GxylZr30S+wwFdRabnqgXMGGr9bLj1ua3jBurs9Fyv23 JIHX80AvyucDB5AXrHaJlEtdJy+i4o8zIYZOdMeMiQuQAZzYfzc5lgJTcI5mDtzCCA9p K8rHbfUGJYEbiMcPqFh0RjTsRVMuTwq0lEtopmjU+hk97Lb25rFdhYDSfZGJbGHUpeWY 5pIuBtkAxGxlX/nA2oUgynKv3CMUI/trv+BDMX6gkqAhITcGypGabGZHMlma5SB0+kjA +miA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gcgSxq0Uv01LgIBC95xfIbmSfBTKpk00SIgNQIQU9Y8=; b=DnYNe8C4caBKbyPnFU/OtskRIEcvwIguBjsloeM4HYD0BDLkWOZZiIOgMEL5Z8ip4H 8c7VVOspBbBj+EjiJwt+auQyAFAg9+AK/ErHkQ7Vu7C68HarBPEDb2u642t+lbct4Dfd kyqJYeVwjaz9xRKP3Dosn2Gb4CHHv1b7wEZwNSsoWIHWW42D2/M41IWZYJAV5jd2d9wx miReSkxSvm16gZA4TfunAJQyq4zjtRqpmw+rBNLPv3H9yrARh2cIR+YTCFnLDs7Fkxv1 VgxVAMdLzlqPAaPsmLzl2gpVpYw1MrUbcHdiUlRm9PppvdwUNLNoaK1+vSjsfGs6SfUA oFUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Pw52tqXf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n1si9906672pgv.545.2019.02.25.14.05.58; Mon, 25 Feb 2019 14:06:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Pw52tqXf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729369AbfBYWDp (ORCPT + 99 others); Mon, 25 Feb 2019 17:03:45 -0500 Received: from mail.kernel.org ([198.145.29.99]:45222 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728233AbfBYVOW (ORCPT ); Mon, 25 Feb 2019 16:14:22 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F39F42146F; Mon, 25 Feb 2019 21:14:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551129261; bh=R4b7cl4FFtF5sh1iOKfNbeTIrXgXk4Jt9P3P0PC5gVc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pw52tqXfzCGjLQtFEn8vb6LOIckT6X8WK7isj19H71YMOq3C+XGUVXk4gKm1thQkw gNgXySFNCpSNMnTYdWV7KyfasfTJHmxr/64vhsHt8eOgcKcd6HFFtAml9FLUdpO55r 3rZrZAH/D6K5GEK7VmP1gRjKzvYcJl4mjZfclQgs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Dmitry V. Levin" , Helge Deller Subject: [PATCH 4.9 38/63] parisc: Fix ptrace syscall number modification Date: Mon, 25 Feb 2019 22:11:38 +0100 Message-Id: <20190225195038.725976025@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190225195035.713274200@linuxfoundation.org> References: <20190225195035.713274200@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dmitry V. Levin commit b7dc5a071ddf69c0350396b203cba32fe5bab510 upstream. Commit 910cd32e552e ("parisc: Fix and enable seccomp filter support") introduced a regression in ptrace-based syscall tampering: when tracer changes syscall number to -1, the kernel fails to initialize %r28 with -ENOSYS and subsequently fails to return the error code of the failed syscall to userspace. This erroneous behaviour could be observed with a simple strace syscall fault injection command which is expected to print something like this: $ strace -a0 -ewrite -einject=write:error=enospc echo hello write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED) +++ exited with 1 +++ After commit 910cd32e552ea09caa89cdbe328e468979b030dd it loops printing something like this instead: write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0) ) = 0 (INJECTED) This bug was found by strace test suite. Fixes: 910cd32e552e ("parisc: Fix and enable seccomp filter support") Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Dmitry V. Levin Tested-by: Helge Deller Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman --- arch/parisc/kernel/ptrace.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -311,15 +311,29 @@ long compat_arch_ptrace(struct task_stru long do_syscall_trace_enter(struct pt_regs *regs) { - if (test_thread_flag(TIF_SYSCALL_TRACE) && - tracehook_report_syscall_entry(regs)) { + if (test_thread_flag(TIF_SYSCALL_TRACE)) { + int rc = tracehook_report_syscall_entry(regs); + /* - * Tracing decided this syscall should not happen or the - * debugger stored an invalid system call number. Skip - * the system call and the system call restart handling. + * As tracesys_next does not set %r28 to -ENOSYS + * when %r20 is set to -1, initialize it here. */ - regs->gr[20] = -1UL; - goto out; + regs->gr[28] = -ENOSYS; + + if (rc) { + /* + * A nonzero return code from + * tracehook_report_syscall_entry() tells us + * to prevent the syscall execution. Skip + * the syscall call and the syscall restart handling. + * + * Note that the tracer may also just change + * regs->gr[20] to an invalid syscall number, + * that is handled by tracesys_next. + */ + regs->gr[20] = -1UL; + return -1; + } } /* Do the secure computing check after ptrace. */ @@ -343,7 +357,6 @@ long do_syscall_trace_enter(struct pt_re regs->gr[24] & 0xffffffff, regs->gr[23] & 0xffffffff); -out: /* * Sign extend the syscall number to 64bit since it may have been * modified by a compat ptrace call