Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp855427pxa; Sat, 1 Aug 2020 08:12:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz/dudne9AA/5QM38w9RSvUc0opajNffMqJ2zlRYx3z9mvT0kQ394MvPpIi/+/7oG8pb3mV X-Received: by 2002:a17:906:4f82:: with SMTP id o2mr9279452eju.424.1596294726759; Sat, 01 Aug 2020 08:12:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596294726; cv=none; d=google.com; s=arc-20160816; b=FAQodRpKByz5RAAxdEI/lPARPgnCul7/ALoJfjryy4sZ3/wZUcwYOfT6tKgmu0jfdZ PgpSRzCNHwhxYUqf3JqMZt3shuxXcCycbyLgj2GXoob1YN/sAEb3sboat+xJVL2jHKl1 gPGK9dGbxlN02/zTK3vfDFtDqbRpGdtuhAgiqOKCAyafF/g3Qu6EVC6zuy0loepoNHva zirA9e+kE7b1nYJNl5O8NUL5y8+6j7rWo1UCh63PwGOwdyQZ0Odz+oTZIhC8VFu9JYl5 9ezw4FfiCbsymiIvEMzfpBnoOis3cywGQVROSc5c1l3kZnm23kY/xmjLAKnGTkaXdR1h R79Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=AnUnEw7ce9H3qhe28a6R96K/BnlU0zb3g4leH5fYies=; b=MNWAnuca8OjQ2D/dJR7E2/Wr3xt/IQD5nnVbYEuvqQZQxGrAcNJXtTexQlPz19HOly NpX9bwjgcj3uV3IPSbqrQcTi5/hTi2CZW9OH4PFHO/fZE13jmnKEDe4kF7EwGxe6ogCo YWy6gfiCZT4JWHj+pOG0eU9hlQxRzyx/sdjuxFL+bSROkVDdAtiMqUBQM83qzFGFYJzk pG+4lpmRKXxQgHw7T9LTR95iRDhl2Zz2b6ig818wYPYiFybUr6kHCmIcZyT+J7VgXzgz cQ00/EBARX+aKAdHimk2gXT/NmizC65wXbmhqO3+Rh4ynMaSy03qqrSC5dwM/voWA4FA wnKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IaWHYaZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z5si7018265edr.493.2020.08.01.08.11.43; Sat, 01 Aug 2020 08:12:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IaWHYaZM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726545AbgHAPJ2 (ORCPT + 99 others); Sat, 1 Aug 2020 11:09:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725883AbgHAPJ2 (ORCPT ); Sat, 1 Aug 2020 11:09:28 -0400 Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 021D3C06174A for ; Sat, 1 Aug 2020 08:09:27 -0700 (PDT) Received: by mail-qt1-x841.google.com with SMTP id b25so25243151qto.2 for ; Sat, 01 Aug 2020 08:09:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=AnUnEw7ce9H3qhe28a6R96K/BnlU0zb3g4leH5fYies=; b=IaWHYaZMB5TD+ZQcsllGb890DGQ658jE5DNKFYFaUPNsRW3ushkrkDfszkG+JwLfVT +DzHKRueuVVmG27M8CPJD+rGbb1T0yMJm+Fv+nfJLi+rDE1UaYbJucTI3yDXr7Renj9L 659GJwCDctmyZ1N6NXXIlnLivYkuXXVXUXA3bxUVNC0X7GO/svm13WfelQGvCTCCbuNd sm6jls2Ql0UXm14BgPgt3SIjYWu4WmXf8DmMpVjvADqIGHY1Db/axR2Rzq5N7FWm9csT uRG4gh8n+PeionvH7r+6CHH9Ex4tNTkk47JTyyz6avJ7Vmdpp5U/W53a8sLLfQJEvYJH 6uiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=AnUnEw7ce9H3qhe28a6R96K/BnlU0zb3g4leH5fYies=; b=TdmtRxCyjQOWrqWHX0gNtwzd1T5XymXlkEznL/jXNtpQFkQ6PfDUOqhmiJQEqpuxHU WTFAz6rXaYatfHYgkr+DN2ygup14pO1/TVdUC/I9Ev18vhk5UvnWeDdZJPQt3dKsl3VI KNFIvMdjKmuqQjx7TxqoX43Ry2+AmOrkt/Fhlyydcj1K6yFd4TzsMjIzzwrP6YQ1jVuQ ZIzy5BLIssf9eWQeQJE7DzMbFrQ5ab/2+v2I4cfRIcvWlt+0zYOlAHGmIsTPrOY5xXZj rb/Fom/9kUnTdhowcrOfFhqRwu761nJOHsDdXus65ccVYVjOzjUoXV+/jSlR+vwPwBvO 50cg== X-Gm-Message-State: AOAM531o7zfbuASK1R3q5NPuyXP2t+Rg09l2sNUhxWNBMsq+Xd4Sx45m CmGf1HKiCN6tQMPE+U+sHg== X-Received: by 2002:ac8:4558:: with SMTP id z24mr9131991qtn.241.1596294566246; Sat, 01 Aug 2020 08:09:26 -0700 (PDT) Received: from PWN (146-115-88-66.s3894.c3-0.sbo-ubr1.sbo.ma.cable.rcncustomer.com. [146.115.88.66]) by smtp.gmail.com with ESMTPSA id p4sm12300599qkj.135.2020.08.01.08.09.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 Aug 2020 08:09:25 -0700 (PDT) Date: Sat, 1 Aug 2020 11:09:19 -0400 From: Peilin Ye To: "Dmitry V. Levin" Cc: Oleg Nesterov , Elvira Khabirova , Eugene Syromyatnikov , Dan Carpenter , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH v2] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() Message-ID: <20200801150919.GA229082@PWN> References: <20200727213644.328662-1-yepeilin.cs@gmail.com> <20200801020841.227522-1-yepeilin.cs@gmail.com> <20200801110646.GA1705@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200801110646.GA1705@altlinux.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 01, 2020 at 02:06:46PM +0300, Dmitry V. Levin wrote: > On Fri, Jul 31, 2020 at 10:08:41PM -0400, Peilin Ye wrote: > > ptrace_get_syscall_info() is potentially copying uninitialized stack > > memory to userspace, since the compiler may leave a 3-byte hole near the > > beginning of `info`. Fix it by adding a padding field to `struct > > ptrace_syscall_info`. > > > > Cc: stable@vger.kernel.org > > Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") > > Suggested-by: Dan Carpenter > > Signed-off-by: Peilin Ye > > --- > > Change in v2: > > - Add a padding field to `struct ptrace_syscall_info`, instead of > > doing memset() on `info`. (Suggested by Dmitry V. Levin > > ) > > > > Reference: https://lwn.net/Articles/417989/ > > > > $ # before: > > $ pahole -C "ptrace_syscall_info" kernel/ptrace.o > > struct ptrace_syscall_info { > > __u8 op; /* 0 1 */ > > > > /* XXX 3 bytes hole, try to pack */ > > > > __u32 arch __attribute__((__aligned__(4))); /* 4 4 */ > > __u64 instruction_pointer; /* 8 8 */ > > __u64 stack_pointer; /* 16 8 */ > > union { > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > } entry; /* 24 56 */ > > struct { > > __s64 rval; /* 24 8 */ > > __u8 is_error; /* 32 1 */ > > } exit; /* 24 16 */ > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ > > __u32 ret_data; /* 80 4 */ > > } seccomp; /* 24 64 */ > > }; /* 24 64 */ > > > > /* size: 88, cachelines: 2, members: 5 */ > > /* sum members: 85, holes: 1, sum holes: 3 */ > > /* forced alignments: 1, forced holes: 1, sum forced holes: 3 */ > > /* last cacheline: 24 bytes */ > > } __attribute__((__aligned__(8))); > > $ > > $ # after: > > $ pahole -C "ptrace_syscall_info" kernel/ptrace.o > > struct ptrace_syscall_info { > > __u8 op; /* 0 1 */ > > __u8 pad[3]; /* 1 3 */ > > __u32 arch __attribute__((__aligned__(4))); /* 4 4 */ > > __u64 instruction_pointer; /* 8 8 */ > > __u64 stack_pointer; /* 16 8 */ > > union { > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > } entry; /* 24 56 */ > > struct { > > __s64 rval; /* 24 8 */ > > __u8 is_error; /* 32 1 */ > > } exit; /* 24 16 */ > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ > > __u32 ret_data; /* 80 4 */ > > } seccomp; /* 24 64 */ > > }; /* 24 64 */ > > > > /* size: 88, cachelines: 2, members: 6 */ > > /* forced alignments: 1 */ > > /* last cacheline: 24 bytes */ > > } __attribute__((__aligned__(8))); > > $ _ > > > > include/uapi/linux/ptrace.h | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h > > index a71b6e3b03eb..a518ba514bac 100644 > > --- a/include/uapi/linux/ptrace.h > > +++ b/include/uapi/linux/ptrace.h > > @@ -81,6 +81,7 @@ struct seccomp_metadata { > > > > struct ptrace_syscall_info { > > __u8 op; /* PTRACE_SYSCALL_INFO_* */ > > + __u8 pad[3]; > > __u32 arch __attribute__((__aligned__(sizeof(__u32)))); > > __u64 instruction_pointer; > > __u64 stack_pointer; > > Funnily enough, but in first editions of PTRACE_GET_SYSCALL_INFO > patchset [1] this was looking very similar: > > +struct ptrace_syscall_info { > + __u8 op; /* PTRACE_SYSCALL_INFO_* */ > + __u8 __pad0[3]; > + __u32 arch; > > But later we decided [2][3] to replace the pad with a hole. > > Note that the sole purpose of the __aligned__ attribute on the field that > follows the hole is to guarantee that the hole has the same size across > architectures. As this hole is being replaced back with a pad, that > __aligned__ attribute is no longer needed and can be omitted along with > adding the pad. Ah, I see. I will remove that in v3. Thank you, Peilin Ye > [1] https://lore.kernel.org/linux-api/20181125022150.46258a20@akathisia/ > [2] https://lore.kernel.org/linux-api/20181211162305.GA480@altlinux.org/ > [3] https://lore.kernel.org/linux-api/20181213171833.GA5240@altlinux.org/ > > > -- > ldv