Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp454775pxa; Fri, 31 Jul 2020 17:22:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy92+r9p6L/JrAayLw0XNYF/h4mBDFCKERGLt39TxNSSxgWJP+Uw+rGXTkn58Qkt0wQg03k X-Received: by 2002:a17:906:2296:: with SMTP id p22mr6404354eja.510.1596241360433; Fri, 31 Jul 2020 17:22:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596241360; cv=none; d=google.com; s=arc-20160816; b=bhMXUU/pSVl/tiBL9YHCDPhQss3uuUVOm2RGAZNTrHnbS7Ea61vX1tmr9GCLiveuYI Il8nqC7kywxQ5cC1q2uUBcS+vDK6/9PSIIF9Q4iDjGZ77fPZjZymHzEsh6NCFNJ6zAx6 WbJLDmzUtCNOfCztb7xPn8tsM1WIhYwKbWNZmY2tMxo68Q/4chy+gUPeStb9fuOGEOkV vnoRRKYb8XEoJNLaw6vpTAXcJ0pLGiccfoPwqc2P47+AjuMowWu0sPbMZVTbF0/0wQb6 2Ih7lEUjES+HRe6Ji5c4l3cg3NP4cSpSGWEd1tbMnAIz+Y83tH0PcomFfa3rItX1Uy1K C/Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=oKDS95ygfonzm8niRfhqm/qlMsh6xbmQ2d0QoUgiQ64=; b=xEVO4EXHzMEnoSW9ZUdB45y8cFwVod6XMT2wzNf0jjGBPnENyqG3pI2W37Sb3SlOfX N4Ouv/H+kA0KT0MKEmn0J73LiYY9nh86anVVg1mkKKtQdsyOba3gfLtJwlOwDBhSgRIO PYpbp6OwkmeTNNUqtokQcioPn8wxy3QQ8MM308OcUdOymTMP4XQCuq+2uiajZakzmt5t QRWYamzkfQRYkmmjXJZD+BEJnBOyLXSZ8k0oxsgLR+i7L5w0yWFL2GmlZ3lcKkDYmflv fsBXON8udgkufH4j3tZP6uvdZhxR5lW4yR1FP1R/W8Ad9PjV8JGizz4IhwHJZwBIRk1M Rh9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si5787201edy.290.2020.07.31.17.22.18; Fri, 31 Jul 2020 17:22:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727978AbgHAAVq (ORCPT + 99 others); Fri, 31 Jul 2020 20:21:46 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:52730 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726099AbgHAAVp (ORCPT ); Fri, 31 Jul 2020 20:21:45 -0400 Received: from mua.local.altlinux.org (mua.local.altlinux.org [192.168.1.14]) by vmicros1.altlinux.org (Postfix) with ESMTP id 8E59372CCDC; Sat, 1 Aug 2020 03:21:42 +0300 (MSK) Received: by mua.local.altlinux.org (Postfix, from userid 508) id 61DA17CFBFC; Sat, 1 Aug 2020 03:21:42 +0300 (MSK) Date: Sat, 1 Aug 2020 03:21:42 +0300 From: "Dmitry V. Levin" To: Peilin Ye Cc: Elvira Khabirova , Oleg Nesterov , Dan Carpenter , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() Message-ID: <20200801002142.GA27762@altlinux.org> References: <20200727213644.328662-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200727213644.328662-1-yepeilin.cs@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2020 at 05:36:44PM -0400, Peilin Ye wrote: > ptrace_get_syscall_info() is copying uninitialized stack memory to > userspace due to the compiler not initializing holes in statically > allocated structures. Fix it by initializing `info` with memset(). > > Cc: stable@vger.kernel.org > Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") > Suggested-by: Dan Carpenter > Signed-off-by: Peilin Ye > --- > kernel/ptrace.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > index 43d6179508d6..e48d05b765b5 100644 > --- a/kernel/ptrace.c > +++ b/kernel/ptrace.c > @@ -960,15 +960,17 @@ ptrace_get_syscall_info(struct task_struct *child, unsigned long user_size, > void __user *datavp) > { > struct pt_regs *regs = task_pt_regs(child); > - struct ptrace_syscall_info info = { > - .op = PTRACE_SYSCALL_INFO_NONE, > - .arch = syscall_get_arch(child), > - .instruction_pointer = instruction_pointer(regs), > - .stack_pointer = user_stack_pointer(regs), > - }; > + struct ptrace_syscall_info info; > unsigned long actual_size = offsetof(struct ptrace_syscall_info, entry); > unsigned long write_size; > > + memset(&info, 0, sizeof(info)); > + > + info.op = PTRACE_SYSCALL_INFO_NONE; > + info.arch = syscall_get_arch(child); > + info.instruction_pointer = instruction_pointer(regs); > + info.stack_pointer = user_stack_pointer(regs); > + No, please don't do it this way. If there is a hole in the structure that the compiler is unable to initialize properly (and there is a 3-byte hole in the beginning indeed), please plug the hole by turning it into something that the compiler is capable of initializing. Also, please do not forget to Cc authors of the commit you are fixing. -- ldv