Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp1196119ybn; Wed, 2 Oct 2019 12:16:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxsyvN8eMy0oLGr4drJbBmAfBzQV6wlh4S56wdLtAIn1KyagRqmcsTFw+F3y3XZ7tgrzCGC X-Received: by 2002:a17:906:41a:: with SMTP id d26mr4483172eja.17.1570043773218; Wed, 02 Oct 2019 12:16:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570043773; cv=none; d=google.com; s=arc-20160816; b=0po9bR1ifQz8SGQsJv/xVYKhq4qr232xrhKmfOz2Zin4h5pRjKJpFHNgdpIsQkHjui ebO6hfIJ2cB2QJBOlfckF2q8OaB+sAcfGoctd15oejF4PZfoYSZnqKz7lwAVxLC71OlD hxRrurvHNp8QkS3dW6tFg19wgN6oDS2vole8iLAKAJc8RfY76CsBn05ckGp8W1H5NiWB Pi8pv/UbZdWzz/Nn6LTMKDM6z7kpKkPa03mrwqpzuMMqx1YmVNOLKKuQO3nVm6+ckhy2 RMqpEftJ/eXlBROz28FhaP0fIxj7tfGj8TbsOOD7dalhTkk+X2ppNJChoEbmU09xE9ND SyyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=hLKeW96fTG39YVJaYh1DlQ0qTjZtjZVQYs7y8M2YPlc=; b=BcQVTah1vINO8gMQftRzXIc+8RFesBNNtB1NTzYbnfYUtaS9nRpygj0kt/oY0+Y3fm w/hAzmw+WaCx9XSiy3/llF8uF01E9v9VHh2ynHHJ6zdnGmag6kH4MWe6AmCVYXp95DvA EZVEkakbmi/504kvStj/DH74Gk1qiyCx5cCna2DrXGXGL/aF6kWmSPWjKamz7Lt8Xmrz m470EVaJDvJLvwhNoG2ge+ok5luHEavuwZYfcIh14sQ8ltVhFtkMGrObhL1xDNnuOCYE Pb1R9+ztMpK6TCLR0iCDKv+pQmjJW3CHmxXCy1HiMTxCNuF3MHI3Zn4n4MMLQMCYNoH3 8ypA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h17si10606ejt.173.2019.10.02.12.15.49; Wed, 02 Oct 2019 12:16:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726076AbfJBTM3 (ORCPT + 99 others); Wed, 2 Oct 2019 15:12:29 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35436 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729131AbfJBTIK (ORCPT ); Wed, 2 Oct 2019 15:08:10 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iFjyo-00036F-W7; Wed, 02 Oct 2019 20:08:07 +0100 Received: from ben by deadeye with local (Exim 4.92.1) (envelope-from ) id 1iFjyo-0003cz-4V; Wed, 02 Oct 2019 20:08:06 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Eric W. Biederman" , "Andrei Vagin" , syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com Date: Wed, 02 Oct 2019 20:06:51 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 39/87] signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.75-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: "Eric W. Biederman" commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 upstream. Recently syzbot in conjunction with KMSAN reported that ptrace_peek_siginfo can copy an uninitialized siginfo to userspace. Inspecting ptrace_peek_siginfo confirms this. The problem is that off when initialized from args.off can be initialized to a negaive value. At which point the "if (off >= 0)" test to see if off became negative fails because off started off negative. Prevent the core problem by adding a variable found that is only true if a siginfo is found and copied to a temporary in preparation for being copied to userspace. Prevent args.off from being truncated when being assigned to off by testing that off is <= the maximum possible value of off. Convert off to an unsigned long so that we should not have to truncate args.off, we have well defined overflow behavior so if we add another check we won't risk fighting undefined compiler behavior, and so that we have a type whose maximum value is easy to test for. Cc: Andrei Vagin Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)") Signed-off-by: "Eric W. Biederman" [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- kernel/ptrace.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -711,6 +711,10 @@ static int ptrace_peek_siginfo(struct ta if (arg.nr < 0) return -EINVAL; + /* Ensure arg.off fits in an unsigned long */ + if (arg.off > ULONG_MAX) + return 0; + if (arg.flags & PTRACE_PEEKSIGINFO_SHARED) pending = &child->signal->shared_pending; else @@ -718,18 +722,20 @@ static int ptrace_peek_siginfo(struct ta for (i = 0; i < arg.nr; ) { siginfo_t info; - s32 off = arg.off + i; + unsigned long off = arg.off + i; + bool found = false; spin_lock_irq(&child->sighand->siglock); list_for_each_entry(q, &pending->list, list) { if (!off--) { + found = true; copy_siginfo(&info, &q->info); break; } } spin_unlock_irq(&child->sighand->siglock); - if (off >= 0) /* beyond the end of the list */ + if (!found) /* beyond the end of the list */ break; #ifdef CONFIG_COMPAT