Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5633ybl; Tue, 7 Jan 2020 13:01:29 -0800 (PST) X-Google-Smtp-Source: APXvYqxrmzZ6jxPpNVBhhvrDbeCydecK71v2rcN+76s+Vc8ZaMfhYB9JAWVNJV2XyTaYSbmc4plT X-Received: by 2002:aca:e189:: with SMTP id y131mr272619oig.111.1578430888896; Tue, 07 Jan 2020 13:01:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578430888; cv=none; d=google.com; s=arc-20160816; b=rWAzghEIWhG8w7M5mGDW50Q9tybMiFUzfQHBvSmxZ8S/KN34tO54g8NDi663NcgvGT HdiZK+7zZ/PSu69hIRNBOSmkmIVeIIgENYh6R98I8mRrHpWjIGpjmCeJ9UR++oH/rJS/ ydVdv4/Nb+2dm6/zt/WipjqAkm9c0XbjTJfMaAjDVsC8ZXuY3yCRTilyUsUqIix3+p05 15jijIpCFknxYSBP0mVls+TgfiFqYAm8Lzr58aLRL9YIcDwb0H/OimAXgaSLIZMICdS1 oSjm4mgYxDfHmyTeAcngTR24+z3sG4teZQ2WCex3fdVIloYRH9ySK6pwbMa7cjH7mEtW Af+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fd1DIlMrgRskhh15vbDJPv0V38S/VSZ4WOPsHwGeGbI=; b=oQJlF2XCOKjxvs/iwtA5h86NkBBbQyoFEZyNhcyJlWPi+yrf8vXpIaaP50/rTWrfDa D1qNLinqGvHq8MDULuXIVjrVUcotHlN1YlRCHl6i4qWxeKh86ufjnQ4hXy0n3YF0YONE dBMf9AQbFozPCx31JiQNkCF3T0d9mAsg/i527PcGtPihatAuZ9WVtH+cIjE0uhRdVeCW Qqwf7VYLoT9bDysnsxbYHnsQcMGZqPTiKRi4fog0UHbYmo44FCKn2mi97ae4mbzo34rP jil7p1v1eYjYVYkBkRjvNakHzEWMA3YQgcdQAerHdun6OXU0QoA9xR2dM7cbLc76PUxm jFCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o5gKCdAv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 17si613122oix.22.2020.01.07.13.00.53; Tue, 07 Jan 2020 13:01:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o5gKCdAv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728191AbgAGU7s (ORCPT + 99 others); Tue, 7 Jan 2020 15:59:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:33166 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728183AbgAGU7n (ORCPT ); Tue, 7 Jan 2020 15:59:43 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B38B92087F; Tue, 7 Jan 2020 20:59:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1578430783; bh=F6tGxNJCT5nA0qQtWVbRfcpU9HYNtp2tw3U7qotbFXs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o5gKCdAvHyJ1I4WL9nEtNr6vKnd1cMEuBKS11rH8MUILa8EioaFS2gyScxhHAw1KA koL/KDeaJi8Lm3hEk7irYrmGp9D1I2CilwsmLl2fmjwzmpHsmk4ioVF32SOrfnGGSu yAH2OlG/2m9q1oxHzO9tI4fnBkDImhxHd0SZ7a84= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sargun Dhillon , Tycho Andersen , Kees Cook Subject: [PATCH 5.4 095/191] samples/seccomp: Zero out members based on seccomp_notif_sizes Date: Tue, 7 Jan 2020 21:53:35 +0100 Message-Id: <20200107205338.077706994@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200107205332.984228665@linuxfoundation.org> References: <20200107205332.984228665@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sargun Dhillon commit 771b894f2f3dfedc2ba5561731fffa0e39b1bbb6 upstream. The sizes by which seccomp_notif and seccomp_notif_resp are allocated are based on the SECCOMP_GET_NOTIF_SIZES ioctl. This allows for graceful extension of these datastructures. If userspace zeroes out the datastructure based on its version, and it is lagging behind the kernel's version, it will end up sending trailing garbage. On the other hand, if it is ahead of the kernel version, it will write extra zero space, and potentially cause corruption. Signed-off-by: Sargun Dhillon Suggested-by: Tycho Andersen Link: https://lore.kernel.org/r/20191230203503.4925-1-sargun@sargun.me Fixes: fec7b6690541 ("samples: add an example of seccomp user trap") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman --- samples/seccomp/user-trap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/samples/seccomp/user-trap.c +++ b/samples/seccomp/user-trap.c @@ -298,14 +298,14 @@ int main(void) req = malloc(sizes.seccomp_notif); if (!req) goto out_close; - memset(req, 0, sizeof(*req)); resp = malloc(sizes.seccomp_notif_resp); if (!resp) goto out_req; - memset(resp, 0, sizeof(*resp)); + memset(resp, 0, sizes.seccomp_notif_resp); while (1) { + memset(req, 0, sizes.seccomp_notif); if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) { perror("ioctl recv"); goto out_resp;