Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp11820053ybl; Fri, 27 Dec 2019 23:10:27 -0800 (PST) X-Google-Smtp-Source: APXvYqwP8PzpiIDNP+SSuyTjtn/C+vyaZ6//Ykyt5wVdn711iCgbLb9CDp0O76Z0NcuOSo1TIbmE X-Received: by 2002:a05:6830:1487:: with SMTP id s7mr39426027otq.269.1577517027089; Fri, 27 Dec 2019 23:10:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577517027; cv=none; d=google.com; s=arc-20160816; b=0OOaA76IGBMfZC5+DtyBiEfBxkckFT0ujn3I/TaV87fYDdSxWCFrGFeBQ4Jvpga0HI FUmSw+f/8n2b1k05nTfczehfGdU+463XNIXUyj1+05mWL3XDelGnKjt1Rm2JpKqJ/er9 5BRtlY6WDRhmQpTnpioTrm4/6/keCaRE6nxdZUXBMBDUIdtqO/s5spA4vuLErI+pNGQV NtrZoHUMyMwdefu+6j03weQWZu7avzYLGD8wo5u00BebXkNkWHBsBpL31kWxXtE3S+b+ cJ5xfC//Jp2uACh7uIx3T6k7DXsZiRx8QPkPyz/Z+MNwB0AkzQ9pwB90XEWf3GecRGaW KCgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=JxUesbDLyG7V0iU9AQcGSLq7vr0O0Ni2i8OsYwRfQ7s=; b=FNtPwvruxL40itSGM58vXVni0Li2VyX4E4AkpyxfQO8hoTF4Gw/RvNTAaobuume7xY ZG4r0RcDWvp83ZP9+jOI8JULX4+Tag+/USXkxYSpTFHZf2J5XINm9rY/oQ5NMDFJMv0t JjVYrcU+WrtGRXSc1xNF8w93ttkCsB9Q2LM5fWpAkSmN+0L07NCx/OxprDLJP0i85mYx mwVbWZ30ZlfrVX8MRocCPZSC+zJqYw6U3pOWkfZAIDfuVlCXS5fT4VRUbVk7RWyzEUst LLjNWrtMUnFbimuZezrbIJNhrPd+maS4+iVt6npS7ed+rumFbNVvbJaHns/vIiA1G0+N Vk9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o5si16146171otl.185.2019.12.27.23.10.13; Fri, 27 Dec 2019 23:10:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726388AbfL1HJP (ORCPT + 99 others); Sat, 28 Dec 2019 02:09:15 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:37585 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725857AbfL1HJP (ORCPT ); Sat, 28 Dec 2019 02:09:15 -0500 Received: from p5b12df56.dip0.t-ipconnect.de ([91.18.223.86] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1il6Do-0001Ct-Fn; Sat, 28 Dec 2019 07:09:12 +0000 Date: Sat, 28 Dec 2019 08:09:11 +0100 From: Christian Brauner To: Sargun Dhillon Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, tycho@tycho.ws, jannh@google.com, keescook@chromium.org, cyphar@cyphar.com Subject: Re: [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user Message-ID: <20191228070910.qo7ahodfs2mzqw5t@wittgenstein> References: <20191228014849.GA31783@ircssh-2.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20191228014849.GA31783@ircssh-2.c.rugged-nimbus-611.internal> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Dec 28, 2019 at 01:48:51AM +0000, Sargun Dhillon wrote: > This patch is a small change in enforcement of the uapi for > SECCOMP_IOCTL_NOTIF_RECV ioctl. Specifically, the datastructure which > is passed (seccomp_notif) must be zeroed out. Previously any of its > members could be set to nonsense values, and we would ignore it. > > This ensures all fields are set to their zero value. The upper part is correct and useful. > > This relies on the seccomp_notif datastructure to not have > any unnamed padding, as it is valid to initialize the datastructure > as: > > struct seccomp_notif notif = {}; The interesting part here is accidently leaking kernel addresses to userspace. For this to be an issue we'd need to do struct seccomp_notif unotif = {}; copy_to_user(, &unotif, sizeof(unotif)) _and_ seccomp_notif would need to contain unintentional padding. Even if the latter were true we still use memset() anwyay and will likely never remove it. So the code here sure doesn't rely or depends on correct padding at all. > > This only initializes named members to their 0-value [1]. > > [1]: https://lore.kernel.org/lkml/20191227023131.klnobtlfgeqcmvbb@yavin.dot.cyphar.com/ That link isn't useful and also incorrectly claims that there is non-intentional padding in the struct which there isn't. Just drop that whole paragraph. The expectation is that all of our ABIs are correctly padded anyway and this really just confuses more than it helps. Please resend, otherwise: Reviewed-by: Christian Brauner But see a small comment below. > > Signed-off-by: Sargun Dhillon > Cc: Kees Cook > --- > kernel/seccomp.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 12d2227e5786..4fd73cbdd01e 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -1026,6 +1026,12 @@ static long seccomp_notify_recv(struct seccomp_filter *filter, > struct seccomp_notif unotif; > ssize_t ret; > > + ret = check_zeroed_user(buf, sizeof(unotif)); It wouldn't hurt to place a small comment here so the reader can easily spot we've ensured that this struct can be extended. But up to you... /* Verify that we're not given garbage to keep struct extensible. */ > + if (ret < 0) > + return ret; > + if (!ret) > + return -EINVAL; > + > memset(&unotif, 0, sizeof(unotif)); > > ret = down_interruptible(&filter->notif->request); > -- > 2.20.1 >