Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp862680pxa; Sat, 1 Aug 2020 08:24:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyswQh3jnIb0CSSLc+F98pxx+VxTW/h/KP/RPC8H7ckQjxCy37dtrQ8Uonh8i5ukYL9TZTi X-Received: by 2002:aa7:da4c:: with SMTP id w12mr8423482eds.122.1596295450276; Sat, 01 Aug 2020 08:24:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596295450; cv=none; d=google.com; s=arc-20160816; b=PS7P0pK6iXQMClUjBsuOCCAL9Qz9ak8wEVqpOpYmfhXf1Rq970+dDxONRDRRAe6uc2 QxuQ08adE7vxjhBSeclCRN7mcOyvKUZv3J05TcYmN4kpCx7H6ia+UutyMEnkLFc690da LjQxMy6uvaR4DYmbH1wnZF/aNz75+PfM0O131yPSIGxVaiWGtahJJA+XbyaGT40v9Tri ebLpEz+KqNiDB+/MxhbvQ28lk/A0mZ6u0UdJPomV7KKz4fMqNY1egOzm8WTVCRIAuQwN L+HYVfM7sczP0NBN2xAEZMSKqXdJdGJk1lwMHvKZTeaMfYvPV8PjmX5+QRpGq0wHfp+g DB5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=i9HjdunNdeDb6el2KFiKvzDJLets7DjcfYSJtReQ90A=; b=FT53QLwacol6343dUujST8bW3JNyJFFTK9OQgy6HnpLnf6tVB8pQjxcXyS89VJtJQo rcbXBq9lZT4dFGvmb3m7ADaX3VQLp16V8X+xqfOjzsuKoivjGNIAPFzHXZC4Pf1eQyKV konm3P8vDFWWUBK8zVNdoTHVGasi2Jxfeeh0NWQVVdc2q/EWj5DcK+wC7dSm+IGPiFf4 CsqKcjOkO21NdLC+MvqTNLY7Ru8p0Jcslp2lO0AGxXKisM+/UDd6lGPF7iWPohV7GtjO h7qe5PqQGNrhId4timl8w4oQeK5gnw0GOFZaZu6cUnjecpRxJXZamsik1LYOwo31MjgB RwYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=a+CQ6tFX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l22si7215064ejz.138.2020.08.01.08.23.47; Sat, 01 Aug 2020 08:24:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=a+CQ6tFX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726615AbgHAPWz (ORCPT + 99 others); Sat, 1 Aug 2020 11:22:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726534AbgHAPWz (ORCPT ); Sat, 1 Aug 2020 11:22:55 -0400 Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20F05C06174A for ; Sat, 1 Aug 2020 08:22:55 -0700 (PDT) Received: by mail-qk1-x743.google.com with SMTP id b14so29881750qkn.4 for ; Sat, 01 Aug 2020 08:22:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=i9HjdunNdeDb6el2KFiKvzDJLets7DjcfYSJtReQ90A=; b=a+CQ6tFXEKoQnwBiEU7118Tp/SPyORFALhwIwQIB+HWrVUhhYoozvHpKP1TKZu5Sly GPgx/3KNprl7UzHNQGLceoVwFuTlAh5xcG/RhRunG5U15hStEkZaXnCjkdUlgeBLb3Go eUT6RnSA1UH9JvpHt5UXTFGHj8c3adU/YsRih//N8DIeUGJR+VN34Sayvu/rsHw/JL69 MlMTaMsynn9HBHKDZgasVkzIKkRAe4HOAusD7hzeaWJIO9ewRNH8bp+YKGlgHhF3lLh8 gateEnSLgsZM5K3Vrl6Volcs++mwpA2v8tIjMzN0aG2ZlhQRLBk3iiM2UE/Spizb8EHs Uf0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i9HjdunNdeDb6el2KFiKvzDJLets7DjcfYSJtReQ90A=; b=dzsXsC73tTiWPAKPm1ZYJbCyn2bCYZMF1RQ7im0pnkCi6QgQ9kryd5smEvyW1fuKcS bJR1qQrEJrhI60ufr2MOCrBlLlzocsrcpZjet4NuuhyNbWz0GM+8fnO5Y5womB4xvb/5 ec9pK0kjWn5j2vj/OSBrP9lyQwgO454WdzErMR5Wy3qJSbyjIvSa63rYY6ZUiKH8mwvF MBsXo4q5+LQP6B0dfCQ6rmGRrJGTR4w2bzOuvCkdTF/su6w5TQzZbXnp1pMtwQhacgAW l270qaWR9eC7sT7o5pVU+Y9YjkSTe9nbxOVdKQ2gfHS/9gFypvz3NtbkbtueaDukeEKi Ohdw== X-Gm-Message-State: AOAM531SfCvCK5/oBUB48VpQJEciy71Wytbu1dKaJBURohWMn961YrJd OBrg3GCxj3bBUj4cYC632w== X-Received: by 2002:a05:620a:13c9:: with SMTP id g9mr1484449qkl.436.1596295374348; Sat, 01 Aug 2020 08:22:54 -0700 (PDT) Received: from localhost.localdomain (146-115-88-66.s3894.c3-0.sbo-ubr1.sbo.ma.cable.rcncustomer.com. [146.115.88.66]) by smtp.gmail.com with ESMTPSA id n184sm12951144qkn.49.2020.08.01.08.22.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 Aug 2020 08:22:53 -0700 (PDT) From: Peilin Ye To: Oleg Nesterov Cc: Peilin Ye , "Dmitry V. Levin" , Elvira Khabirova , Dan Carpenter , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel-mentees@lists.linuxfoundation.org, linux-kernel@vger.kernel.org Subject: [Linux-kernel-mentees] [PATCH v3] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() Date: Sat, 1 Aug 2020 11:20:44 -0400 Message-Id: <20200801152044.230416-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200801020841.227522-1-yepeilin.cs@gmail.com> References: <20200801020841.227522-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ptrace_get_syscall_info() is potentially copying uninitialized stack memory to userspace, since the compiler may leave a 3-byte hole near the beginning of `info`. Fix it by adding a padding field to `struct ptrace_syscall_info`. Cc: stable@vger.kernel.org Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") Suggested-by: Dan Carpenter Signed-off-by: Peilin Ye --- Change in v3: - Remove unnecessary `__aligned__` attribute. (Suggested by Dmitry V. Levin ) Change in v2: - Add a padding field to `struct ptrace_syscall_info`, instead of doing memset() on `info`. (Suggested by Dmitry V. Levin ) Reference: https://lwn.net/Articles/417989/ $ # before: $ pahole -C "ptrace_syscall_info" kernel/ptrace.o struct ptrace_syscall_info { __u8 op; /* 0 1 */ /* XXX 3 bytes hole, try to pack */ __u32 arch __attribute__((__aligned__(4))); /* 4 4 */ __u64 instruction_pointer; /* 8 8 */ __u64 stack_pointer; /* 16 8 */ union { struct { __u64 nr; /* 24 8 */ __u64 args[6]; /* 32 48 */ } entry; /* 24 56 */ struct { __s64 rval; /* 24 8 */ __u8 is_error; /* 32 1 */ } exit; /* 24 16 */ struct { __u64 nr; /* 24 8 */ __u64 args[6]; /* 32 48 */ /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ __u32 ret_data; /* 80 4 */ } seccomp; /* 24 64 */ }; /* 24 64 */ /* size: 88, cachelines: 2, members: 5 */ /* sum members: 85, holes: 1, sum holes: 3 */ /* forced alignments: 1, forced holes: 1, sum forced holes: 3 */ /* last cacheline: 24 bytes */ } __attribute__((__aligned__(8))); $ $ # after: $ pahole -C "ptrace_syscall_info" kernel/ptrace.o struct ptrace_syscall_info { __u8 op; /* 0 1 */ __u8 pad[3]; /* 1 3 */ __u32 arch; /* 4 4 */ __u64 instruction_pointer; /* 8 8 */ __u64 stack_pointer; /* 16 8 */ union { struct { __u64 nr; /* 24 8 */ __u64 args[6]; /* 32 48 */ } entry; /* 24 56 */ struct { __s64 rval; /* 24 8 */ __u8 is_error; /* 32 1 */ } exit; /* 24 16 */ struct { __u64 nr; /* 24 8 */ __u64 args[6]; /* 32 48 */ /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ __u32 ret_data; /* 80 4 */ } seccomp; /* 24 64 */ }; /* 24 64 */ /* size: 88, cachelines: 2, members: 6 */ /* last cacheline: 24 bytes */ }; $ _ include/uapi/linux/ptrace.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h index a71b6e3b03eb..83ee45fa634b 100644 --- a/include/uapi/linux/ptrace.h +++ b/include/uapi/linux/ptrace.h @@ -81,7 +81,8 @@ struct seccomp_metadata { struct ptrace_syscall_info { __u8 op; /* PTRACE_SYSCALL_INFO_* */ - __u32 arch __attribute__((__aligned__(sizeof(__u32)))); + __u8 pad[3]; + __u32 arch; __u64 instruction_pointer; __u64 stack_pointer; union { -- 2.25.1