From: Dan Carpenter <dan.carpenter@oracle.com>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
gorcunov@openvz.org, security@kernel.org
Subject: Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak
Date: Mon, 15 Mar 2021 13:29:02 +0300 [thread overview]
Message-ID: <20210315102901.GP21246@kadam> (raw)
In-Reply-To: <YE53QiJuxsCUeoiu@localhost.localdomain>
On Sun, Mar 14, 2021 at 11:51:14PM +0300, Alexey Dobriyan wrote:
> prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);
>
> will copy 1 byte from userspace to (quite big) on-stack array
> and then stash everything to mm->saved_auxv.
What? It won't save everything, only the 1 byte. What am I not seeing?
kernel/sys.c
2073 static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
2074 unsigned long len)
2075 {
2076 /*
2077 * This doesn't move the auxiliary vector itself since it's pinned to
2078 * mm_struct, but it permits filling the vector with new values. It's
2079 * up to the caller to provide sane values here, otherwise userspace
2080 * tools which use this vector might be unhappy.
2081 */
2082 unsigned long user_auxv[AT_VECTOR_SIZE] = {};
2083
2084 if (len > sizeof(user_auxv))
2085 return -EINVAL;
2086
2087 if (copy_from_user(user_auxv, (const void __user *)addr, len))
^^^^^^^^^ ^^^
Copies one byte from user space.
2088 return -EFAULT;
2089
2090 /* Make sure the last entry is always AT_NULL */
2091 user_auxv[AT_VECTOR_SIZE - 2] = 0;
2092 user_auxv[AT_VECTOR_SIZE - 1] = 0;
2093
2094 BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
2095
2096 task_lock(current);
2097 memcpy(mm->saved_auxv, user_auxv, len);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Saves one byte to mm->saved_auxv.
2098 task_unlock(current);
2099
2100 return 0;
2101 }
regards,
dan carpenter
next prev parent reply other threads:[~2021-03-15 10:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-14 20:51 [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak Alexey Dobriyan
2021-03-14 21:40 ` Linus Torvalds
2021-03-14 22:24 ` Cyrill Gorcunov
2021-03-15 6:00 ` auxv stuff (Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak) Alexey Dobriyan
2021-03-15 6:42 ` Cyrill Gorcunov
2021-03-16 18:50 ` Alexey Dobriyan
2021-03-16 18:51 ` Cyrill Gorcunov
2021-03-14 22:18 ` [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak Cyrill Gorcunov
2021-03-15 10:29 ` Dan Carpenter [this message]
2021-03-15 13:30 ` Alexey Dobriyan
2021-03-15 12:08 ` Oleg Nesterov
2021-03-15 12:54 ` Cyrill Gorcunov
2021-03-15 13:19 ` Oleg Nesterov
2021-03-15 13:52 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210315102901.GP21246@kadam \
--to=dan.carpenter@oracle.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.