Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5754310ybi; Tue, 4 Jun 2019 11:35:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqyRYe97NgmNcG6FLsMATKeEDn/KX0CuSWYuNPrF8oablB+And3ZO0KttQUbY9zMKfp9cu9y X-Received: by 2002:a17:902:8f96:: with SMTP id z22mr38333405plo.248.1559673332291; Tue, 04 Jun 2019 11:35:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559673332; cv=none; d=google.com; s=arc-20160816; b=UwWRHJXvU6Ecs+g+nEDQEXAI2Sf5Kr81hgBCZo9vw7KYMxzi+gZnF2r4KCtXuUNZms m1TkCfqdgVRt3kYTkXGZgEAmOUyiz39khZw+gSdR07ok5VvIXRlmBts61ZMeMriz6tc+ Gwe9kAD4lVU6ifMywbx4ePJiZpPc0O7sEriu6+d6d/g6iVQMZXMbrlcrSG2SgcoWK9pP BOuNlnFmEqmys2GCcDqb0tXFXP6uRCABb8iaMdrAN4CVX4GFXYd81V42YEy/8o/AmNk5 4olMClYqXruqFgSGNqzmGrSRRMm9zOTxFCaWrb8ROAicguIj62E1k7tcwL2GdKua4eMx SRHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=GxIk9skfL10h++xFzeC1ExctfO9RGW2vbzK+6HmIbys=; b=s4D217GkLfWTvcb9HB8XHgRi0K+D48fa8fidXLKF8MfEtjGfUryowJcJpCec0xPd+G 7WoFvxpQxqi67dNiGZnKocL6ZhnSvkZnZW3APk7EzC6qoIfCrqVgz0ibHGwHBOSqXkwr 5r+pbGeI/oPKTgfh8zfymDW6AWR8NqwW5fWaiQAIueiSF8syoPC70iw4TJej5eBGPmun kcdsmy/qiPdiT921EgkGGb1HHLFJaUtT5wRblUSFc+/DdsulDKPZFRv8lwpbffUd9gAC kxh16ZW4S8zewn5N/eh6pnLZx5wdUE+eeBH9jT1ipmpXIHXa1ujUX+JMUV5XvdduuxzF vEAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UWm7+vuq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u14si9672504pgm.401.2019.06.04.11.35.13; Tue, 04 Jun 2019 11:35:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UWm7+vuq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726464AbfFDSdT (ORCPT + 99 others); Tue, 4 Jun 2019 14:33:19 -0400 Received: from mail-ua1-f67.google.com ([209.85.222.67]:42291 "EHLO mail-ua1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbfFDSdT (ORCPT ); Tue, 4 Jun 2019 14:33:19 -0400 Received: by mail-ua1-f67.google.com with SMTP id e9so8173179uar.9 for ; Tue, 04 Jun 2019 11:33:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GxIk9skfL10h++xFzeC1ExctfO9RGW2vbzK+6HmIbys=; b=UWm7+vuqyfxHrQcdqAb2ZCmFmzV5z3xDzutiPJa/oHikBKy4EeGo8QZXgLuXoFCL0E jnW/hiLpxr9r7ka7jxc2PnUFhenSel2a0KZhamHNt5zHFMDOnVTMMuIy+dG1VTNWnHlj Bz3h9uyTr3HL3YMO5k/Ep7bE2NfcIDQfo8ZsjGu8NC2ssF+laZswqzGTeCXvgA/uUtHM nH/R3d8Ba2pcaPk3Sh6fHmefCJtVrOH1HThe6DaXpfaItYOoNx/MndrgrnM+UkEH00a3 AtewB/+L5MwcVnVF2GljbisSpyUcF64vk7jfNxvxGNRo130gUtxwEd8ewuo2250Mr9Dk tezA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GxIk9skfL10h++xFzeC1ExctfO9RGW2vbzK+6HmIbys=; b=UWGAmBROMGWb1widFvTSNnC4kB7xAgIp4yv85TxUh6byPxFNXA4tuMZ3Mj0PxqifIm +DIjGPHOtSLd/UOhOYtumVejd890EsHWUNxv6s+G+mVYjPmm3Eqqn/dGUwjE+OJq+3tY lKwMzR1FJ6jCAJ+/1LVTbEOSqmfkY5tWNOVpX9WAcbifrNAnrhj7aQSbU/dBIhhLlmi3 IkYXUKLDftUnzNC4McjMJoin1xYIfxLbT3hTfqiJrVQgjpLc+oP7SUCwg3AVUChyF0IK CC3m23ZU/5pWVmZOVkH9BdarlmP6v3PtvzWLbeD9GZG+k++5XlkExEJWTCHDsdF51GpS OAbA== X-Gm-Message-State: APjAAAWrVMLSLaA07Is5pOX9nk3sJM4l0AgzPsjCltk55bSYtW7nYuT1 VpMoM7RQkfLYC2eQ4C/9moa/L/2m1xabId1M3Ks= X-Received: by 2002:ab0:5a88:: with SMTP id w8mr4749403uae.50.1559673197560; Tue, 04 Jun 2019 11:33:17 -0700 (PDT) MIME-Version: 1.0 References: <000000000000410d500588adf637@google.com> <87woia5vq3.fsf@xmission.com> <20190528124746.ac703cd668ca9409bb79100b@linux-foundation.org> <87pno23vim.fsf_-_@xmission.com> In-Reply-To: <87pno23vim.fsf_-_@xmission.com> From: Andrei Vagin Date: Tue, 4 Jun 2019 11:33:06 -0700 Message-ID: Subject: Re: [PATCH] signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO To: "Eric W. Biederman" , Alexander Potapenko Cc: Andrew Morton , Arnd Bergmann , Christian Brauner , deepa.kernel@gmail.com, LKML , syzkaller-bugs@googlegroups.com, Thomas Gleixner , Oleg Nesterov , syzbot Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 28, 2019 at 6:22 PM Eric W. Biederman wrote: > > > Recently syzbot in conjunction with KMSAN reported that > ptrace_peek_siginfo can copy an uninitialized siginfo to userspace. > Inspecting ptrace_peek_siginfo confirms this. > > The problem is that off when initialized from args.off can be > initialized to a negaive value. At which point the "if (off >= 0)" > test to see if off became negative fails because off started off > negative. > > Prevent the core problem by adding a variable found that is only true > if a siginfo is found and copied to a temporary in preparation for > being copied to userspace. > > Prevent args.off from being truncated when being assigned to off by > testing that off is <= the maximum possible value of off. Convert off > to an unsigned long so that we should not have to truncate args.off, > we have well defined overflow behavior so if we add another check we > won't risk fighting undefined compiler behavior, and so that we have a > type whose maximum value is easy to test for. > Hello Eric, Thank you for fixing this issue. Sorry for the late response. I thought it was fixed a few month ago, I remembered that we discussed it: https://lkml.org/lkml/2018/10/10/251 Here are two inline comments. > Cc: Andrei Vagin > Cc: stable@vger.kernel.org > Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com > Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") > Signed-off-by: "Eric W. Biederman" > --- > > Comments? > Concerns? > > Otherwise I will queue this up and send it to Linus. > > kernel/ptrace.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > index 6f357f4fc859..4c2b24a885d3 100644 > --- a/kernel/ptrace.c > +++ b/kernel/ptrace.c > @@ -704,6 +704,10 @@ static int ptrace_peek_siginfo(struct task_struct *child, > if (arg.nr < 0) > return -EINVAL; > > + /* Ensure arg.off fits in an unsigned */ > + if (arg.off > ULONG_MAX) if (arg.off > ULONG_MAX - arg.nr) > + return 0; maybe we should return EINVAL in this case > + > if (arg.flags & PTRACE_PEEKSIGINFO_SHARED) > pending = &child->signal->shared_pending; > else > @@ -711,18 +715,20 @@ static int ptrace_peek_siginfo(struct task_struct *child, > > for (i = 0; i < arg.nr; ) { > kernel_siginfo_t info; > - s32 off = arg.off + i; > + unsigned long off = arg.off + i; > + bool found = false; > > spin_lock_irq(&child->sighand->siglock); > list_for_each_entry(q, &pending->list, list) { > if (!off--) { > + found = true; > copy_siginfo(&info, &q->info); > break; > } > } > spin_unlock_irq(&child->sighand->siglock); > > - if (off >= 0) /* beyond the end of the list */ > + if (!found) /* beyond the end of the list */ > break; > > #ifdef CONFIG_COMPAT > -- > 2.21.0.dirty >