Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp454775pxa;
        Fri, 31 Jul 2020 17:22:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy92+r9p6L/JrAayLw0XNYF/h4mBDFCKERGLt39TxNSSxgWJP+Uw+rGXTkn58Qkt0wQg03k
X-Received: by 2002:a17:906:2296:: with SMTP id p22mr6404354eja.510.1596241360433;
        Fri, 31 Jul 2020 17:22:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1596241360; cv=none;
        d=google.com; s=arc-20160816;
        b=bhMXUU/pSVl/tiBL9YHCDPhQss3uuUVOm2RGAZNTrHnbS7Ea61vX1tmr9GCLiveuYI
         Il8nqC7kywxQ5cC1q2uUBcS+vDK6/9PSIIF9Q4iDjGZ77fPZjZymHzEsh6NCFNJ6zAx6
         WbJLDmzUtCNOfCztb7xPn8tsM1WIhYwKbWNZmY2tMxo68Q/4chy+gUPeStb9fuOGEOkV
         vnoRRKYb8XEoJNLaw6vpTAXcJ0pLGiccfoPwqc2P47+AjuMowWu0sPbMZVTbF0/0wQb6
         2Ih7lEUjES+HRe6Ji5c4l3cg3NP4cSpSGWEd1tbMnAIz+Y83tH0PcomFfa3rItX1Uy1K
         C/Rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=oKDS95ygfonzm8niRfhqm/qlMsh6xbmQ2d0QoUgiQ64=;
        b=xEVO4EXHzMEnoSW9ZUdB45y8cFwVod6XMT2wzNf0jjGBPnENyqG3pI2W37Sb3SlOfX
         N4Ouv/H+kA0KT0MKEmn0J73LiYY9nh86anVVg1mkKKtQdsyOba3gfLtJwlOwDBhSgRIO
         PYpbp6OwkmeTNNUqtokQcioPn8wxy3QQ8MM308OcUdOymTMP4XQCuq+2uiajZakzmt5t
         QRWYamzkfQRYkmmjXJZD+BEJnBOyLXSZ8k0oxsgLR+i7L5w0yWFL2GmlZ3lcKkDYmflv
         fsBXON8udgkufH4j3tZP6uvdZhxR5lW4yR1FP1R/W8Ad9PjV8JGizz4IhwHJZwBIRk1M
         Rh9Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n9si5787201edy.290.2020.07.31.17.22.18;
        Fri, 31 Jul 2020 17:22:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727978AbgHAAVq (ORCPT <rfc822;1dalishi1@gmail.com> + 99 others);
        Fri, 31 Jul 2020 20:21:46 -0400
Received: from vmicros1.altlinux.org ([194.107.17.57]:52730 "EHLO
        vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726099AbgHAAVp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 31 Jul 2020 20:21:45 -0400
Received: from mua.local.altlinux.org (mua.local.altlinux.org [192.168.1.14])
        by vmicros1.altlinux.org (Postfix) with ESMTP id 8E59372CCDC;
        Sat,  1 Aug 2020 03:21:42 +0300 (MSK)
Received: by mua.local.altlinux.org (Postfix, from userid 508)
        id 61DA17CFBFC; Sat,  1 Aug 2020 03:21:42 +0300 (MSK)
Date:   Sat, 1 Aug 2020 03:21:42 +0300
From:   "Dmitry V. Levin" <ldv@altlinux.org>
To:     Peilin Ye <yepeilin.cs@gmail.com>
Cc:     Elvira Khabirova <lineprinter@altlinux.org>,
        Oleg Nesterov <oleg@redhat.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel-mentees@lists.linuxfoundation.org,
        linux-kernel@vger.kernel.org
Subject: Re: [Linux-kernel-mentees] [PATCH] ptrace: Prevent kernel-infoleak
 in ptrace_get_syscall_info()
Message-ID: <20200801002142.GA27762@altlinux.org>
References: <20200727213644.328662-1-yepeilin.cs@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200727213644.328662-1-yepeilin.cs@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jul 27, 2020 at 05:36:44PM -0400, Peilin Ye wrote:
> ptrace_get_syscall_info() is copying uninitialized stack memory to
> userspace due to the compiler not initializing holes in statically
> allocated structures. Fix it by initializing `info` with memset().
> 
> Cc: stable@vger.kernel.org
> Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request")
> Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> ---
>  kernel/ptrace.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 43d6179508d6..e48d05b765b5 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -960,15 +960,17 @@ ptrace_get_syscall_info(struct task_struct *child, unsigned long user_size,
>  			void __user *datavp)
>  {
>  	struct pt_regs *regs = task_pt_regs(child);
> -	struct ptrace_syscall_info info = {
> -		.op = PTRACE_SYSCALL_INFO_NONE,
> -		.arch = syscall_get_arch(child),
> -		.instruction_pointer = instruction_pointer(regs),
> -		.stack_pointer = user_stack_pointer(regs),
> -	};
> +	struct ptrace_syscall_info info;
>  	unsigned long actual_size = offsetof(struct ptrace_syscall_info, entry);
>  	unsigned long write_size;
>  
> +	memset(&info, 0, sizeof(info));
> +
> +	info.op	= PTRACE_SYSCALL_INFO_NONE;
> +	info.arch = syscall_get_arch(child);
> +	info.instruction_pointer = instruction_pointer(regs);
> +	info.stack_pointer = user_stack_pointer(regs);
> +

No, please don't do it this way.  If there is a hole in the structure that
the compiler is unable to initialize properly (and there is a 3-byte hole
in the beginning indeed), please plug the hole by turning it into
something that the compiler is capable of initializing.

Also, please do not forget to Cc authors of the commit you are fixing.


-- 
ldv