Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp293880ybz;
        Tue, 21 Apr 2020 09:09:06 -0700 (PDT)
X-Google-Smtp-Source: APiQypJWrkhwANbUMuy2SKZvazAAD0vxWlDq3OFNFlhVsXHrqJSPhR9wjmllDxXYPCuO5QKJ6FIj
X-Received: by 2002:a17:907:1199:: with SMTP id uz25mr21863005ejb.131.1587485346108;
        Tue, 21 Apr 2020 09:09:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587485346; cv=none;
        d=google.com; s=arc-20160816;
        b=jFpd8e8hjWIo89ZZo96oyA8bxNxS+SEMj7GoSMEJzZSzjRz3g4tyw+/lBUktqc1kFV
         y5YnnUNbklhvMOly36BEvayPWrHfbij9lEHHr6RNnSLRuG0plJlqfoHhSeO8NpIUkITr
         TjraybhfqmPOxkJDRyhNk7MmuG9itX6tQiPAc+N+mC4ksYxPnXGzjLrdhS9MY5TXrKul
         je4VTLQQWG9ooHE1TmvjM987qziUl/Dr5jMqzJIJoWJJqR0b/7jzS6tOg1fN5D5wnyKi
         bcxBKPZRyhOCvO3pemky/fFUXo3QIlnX8lL9WZ871KiOndU8aA7QPTO30n7kE9X+ioxe
         bZTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id:ironport-sdr:ironport-sdr;
        bh=CoJLfhCtzpnSQ6uyBWCqnLdBSD2A07gSHJRd3PsD+ME=;
        b=cjpgDBHm4ye4sGinv9TbjE3DF6LF1eaKIjmo+kxbnq50PzR1TDrqAVvC5k2/wOJL+Y
         MAb6WRPpAupLcHnz2FdwkRYTCT4xWo4Dz7dSFF9ZgcXPt55rExMH6bZ+61MxUTxNJR5J
         etP1YopF1iHWpClbHRzfGjzLZIbX7AMTU2ssLnOFpHDcwuQMkv1sHG86PW6ww4rNRcnz
         VwZJClAAJUBm59MGabv1MLNO5tGpp9JeedfKJXgitB/t1yOQUL/AgDeUkLDT34Oe/CQp
         j7kFGogB3iu9Q4oC1uAVl48LH2+sZTKmbq+xNsUzYw4gi9EWSKue3q8AnP1bCAVhUx9C
         zUoA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id me19si1860626ejb.140.2020.04.21.09.08.40;
        Tue, 21 Apr 2020 09:09:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726878AbgDUQE5 (ORCPT <rfc822;1dalishi1@gmail.com> + 99 others);
        Tue, 21 Apr 2020 12:04:57 -0400
Received: from mga01.intel.com ([192.55.52.88]:6986 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726157AbgDUQE4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 21 Apr 2020 12:04:56 -0400
IronPort-SDR: yii7rNWjbB2ZqdxRO7ovcA4thHBneoG7SbotbLsNP7aQuDe4oOxirmM60aiZP9+5lcbU8vcO4e
 F7mj6T2296ZQ==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Apr 2020 09:04:56 -0700
IronPort-SDR: qRcJMXn+SpuAzjLVQ+pUxSoamDQ1pOkcUjVQ5GA9MbDsuXFxcr2tJthsMkbiuG/coEFXn5/EYX
 q0jpOS2/4lhg==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.72,410,1580803200"; 
   d="scan'208";a="279691377"
Received: from yyu32-desk.sc.intel.com ([143.183.136.146])
  by fmsmga004.fm.intel.com with ESMTP; 21 Apr 2020 09:04:56 -0700
Message-ID: <6eb0a398097d16f7247accdfa9c21c1da90e0461.camel@intel.com>
Subject: Re: [PATCH] fs/binfmt_elf.c: allocate initialized memory in
 fill_thread_core_info()
From:   Yu-cheng Yu <yu-cheng.yu@intel.com>
To:     Jann Horn <jannh@google.com>,
        Alexander Potapenko <glider@google.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        "H. Peter Anvin" <hpa@zytor.com>,
        the arch/x86 maintainers <x86@kernel.org>,
        Dave Hansen <dave.hansen@intel.com>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>, sunhaoyl@outlook.com
Date:   Tue, 21 Apr 2020 09:04:57 -0700
In-Reply-To: <CAG48ez1u9=Uqcx2dH=7xea1R+WpnL239DSoVHLwV09=FxZUevQ@mail.gmail.com>
References: <20200419100848.63472-1-glider@google.com>
         <20200420153352.6682533e794f591dae7aafbc@linux-foundation.org>
         <202004201540.01C8F82B@keescook>
         <20200421034249.GB23230@ZenIV.linux.org.uk>
         <CAG_fn=X_eQ4G-0+oAO_q+_zRnkfMf4uhfMcnoYt4i1N_noKgdA@mail.gmail.com>
         <CAG48ez1u9=Uqcx2dH=7xea1R+WpnL239DSoVHLwV09=FxZUevQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2020-04-21 at 17:09 +0200, Jann Horn wrote:
> +x86 folks
> 
> (rest of thread is on lore
> <https://lore.kernel.org/lkml/20200419100848.63472-1-glider@google.com/>;,
> with original bug report on github
> <https://github.com/google/kmsan/issues/76>;)
> 
> On Tue, Apr 21, 2020 at 2:54 PM Alexander Potapenko <glider@google.com> wrote:
> > On Tue, Apr 21, 2020 at 5:42 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > > On Mon, Apr 20, 2020 at 03:41:40PM -0700, Kees Cook wrote:
> > > > On Mon, Apr 20, 2020 at 03:33:52PM -0700, Andrew Morton wrote:
> > > > > On Sun, 19 Apr 2020 12:08:48 +0200 glider@google.com wrote:
> > > > > 
> > > > > > KMSAN reported uninitialized data being written to disk when dumping
> > > > > > core. As a result, several kilobytes of kmalloc memory may be written to
> > > > > > the core file and then read by a non-privileged user.
> > > > 
> > > > Ewww. That's been there for 12 years. Did something change in
> > > > regset_size() or regset->get()? Do you know what leaves the hole?
> > > 
> > > Not lately and I would also like to hear the details; which regset it is?
> > > Should be reasonably easy to find - just memset() the damn thing to something
> > > recognizable, do whatever triggers that KMSAN report and look at that
> > > resulting coredump.
> > > 
> > 
> > Seems to be REGSET_XSTATE filled by xstateregs_get().
> > Is there a ptrace interface also using that function?
> 
> It looks to me like the problem KMSAN found is that
> copy_xstate_to_kernel() will not fill out memory for unused xstates? I
> think this may have been introduced by commit 91c3dba7dbc1
> ("x86/fpu/xstate: Fix PTRACE frames for XSAVES", introduced in v4.8).
> 
> There seem to be no other functions that reach that path other than
> coredumping; I think the correct fix would be to change
> copy_xstate_to_kernel() to always fully initialize the output buffer.

Yes, that makes sense.  On the other hand, the kzalloc() fix prevents potential
similar problems for other regsets.

Yu-cheng

> 
> The ptrace path uses copy_xstate_to_user(); there, instead of leaking
> kernel memory to userspace, parts of the userspace buffer are simply
> not written to at all.