* [PATCH] riscv: process: fix kernel info leakage
@ 2022-10-29 11:34 ` Jisheng Zhang
0 siblings, 0 replies; 10+ messages in thread
From: Jisheng Zhang @ 2022-10-29 11:34 UTC (permalink / raw)
To: Paul Walmsley, Palmer Dabbelt, Albert Ou, Guo Ren
Cc: linux-riscv, linux-kernel
thread_struct's s[12] may contain random kernel memory content, which
may be finally leaked to userspace. This is a security hole. Fix it
by clearing the s[12] array in thread_struct when fork.
As for kthread case, it's better to clear the s[12] array as well.
Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
---
Previously, it's one of the series of "riscv: entry: further clean up
and VMAP_STACK fix". This is a fix, so I move it out of the series and
send it separately
arch/riscv/kernel/process.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
index ceb9ebab6558..52002d54b163 100644
--- a/arch/riscv/kernel/process.c
+++ b/arch/riscv/kernel/process.c
@@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
unsigned long tls = args->tls;
struct pt_regs *childregs = task_pt_regs(p);
+ memset(&p->thread.s, 0, sizeof(p->thread.s));
+
/* p->thread holds context to be restored by __switch_to() */
if (unlikely(args->fn)) {
/* Kernel thread */
--
2.37.2
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] riscv: process: fix kernel info leakage
@ 2022-10-29 11:34 ` Jisheng Zhang
0 siblings, 0 replies; 10+ messages in thread
From: Jisheng Zhang @ 2022-10-29 11:34 UTC (permalink / raw)
To: Paul Walmsley, Palmer Dabbelt, Albert Ou, Guo Ren
Cc: linux-riscv, linux-kernel
thread_struct's s[12] may contain random kernel memory content, which
may be finally leaked to userspace. This is a security hole. Fix it
by clearing the s[12] array in thread_struct when fork.
As for kthread case, it's better to clear the s[12] array as well.
Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
---
Previously, it's one of the series of "riscv: entry: further clean up
and VMAP_STACK fix". This is a fix, so I move it out of the series and
send it separately
arch/riscv/kernel/process.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
index ceb9ebab6558..52002d54b163 100644
--- a/arch/riscv/kernel/process.c
+++ b/arch/riscv/kernel/process.c
@@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
unsigned long tls = args->tls;
struct pt_regs *childregs = task_pt_regs(p);
+ memset(&p->thread.s, 0, sizeof(p->thread.s));
+
/* p->thread holds context to be restored by __switch_to() */
if (unlikely(args->fn)) {
/* Kernel thread */
--
2.37.2
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
2022-10-29 11:34 ` Jisheng Zhang
@ 2022-10-30 0:03 ` Guo Ren
-1 siblings, 0 replies; 10+ messages in thread
From: Guo Ren @ 2022-10-30 0:03 UTC (permalink / raw)
To: Jisheng Zhang
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, linux-riscv, linux-kernel
On Sat, Oct 29, 2022 at 7:44 PM Jisheng Zhang <jszhang@kernel.org> wrote:
>
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> ---
>
> Previously, it's one of the series of "riscv: entry: further clean up
> and VMAP_STACK fix". This is a fix, so I move it out of the series and
> send it separately
>
> arch/riscv/kernel/process.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
> index ceb9ebab6558..52002d54b163 100644
> --- a/arch/riscv/kernel/process.c
> +++ b/arch/riscv/kernel/process.c
> @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
> unsigned long tls = args->tls;
> struct pt_regs *childregs = task_pt_regs(p);
>
> + memset(&p->thread.s, 0, sizeof(p->thread.s));
Tested-by: Guo Ren <guoren@kernel.org>
> +
> /* p->thread holds context to be restored by __switch_to() */
> if (unlikely(args->fn)) {
> /* Kernel thread */
> --
> 2.37.2
>
--
Best Regards
Guo Ren
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
@ 2022-10-30 0:03 ` Guo Ren
0 siblings, 0 replies; 10+ messages in thread
From: Guo Ren @ 2022-10-30 0:03 UTC (permalink / raw)
To: Jisheng Zhang
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, linux-riscv, linux-kernel
On Sat, Oct 29, 2022 at 7:44 PM Jisheng Zhang <jszhang@kernel.org> wrote:
>
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> ---
>
> Previously, it's one of the series of "riscv: entry: further clean up
> and VMAP_STACK fix". This is a fix, so I move it out of the series and
> send it separately
>
> arch/riscv/kernel/process.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
> index ceb9ebab6558..52002d54b163 100644
> --- a/arch/riscv/kernel/process.c
> +++ b/arch/riscv/kernel/process.c
> @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
> unsigned long tls = args->tls;
> struct pt_regs *childregs = task_pt_regs(p);
>
> + memset(&p->thread.s, 0, sizeof(p->thread.s));
Tested-by: Guo Ren <guoren@kernel.org>
> +
> /* p->thread holds context to be restored by __switch_to() */
> if (unlikely(args->fn)) {
> /* Kernel thread */
> --
> 2.37.2
>
--
Best Regards
Guo Ren
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
2022-10-29 11:34 ` Jisheng Zhang
@ 2022-10-31 19:14 ` Conor Dooley
-1 siblings, 0 replies; 10+ messages in thread
From: Conor Dooley @ 2022-10-31 19:14 UTC (permalink / raw)
To: Jisheng Zhang
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, Guo Ren, linux-riscv,
linux-kernel
On Sat, Oct 29, 2022 at 07:34:50PM +0800, Jisheng Zhang wrote:
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> ---
>
> Previously, it's one of the series of "riscv: entry: further clean up
> and VMAP_STACK fix". This is a fix, so I move it out of the series and
> send it separately
Should this not be carrying a R-b from Guo Ren from that series?
https://lore.kernel.org/linux-riscv/CAJF2gTSdVyAaM12T+7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/
>
> arch/riscv/kernel/process.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
> index ceb9ebab6558..52002d54b163 100644
> --- a/arch/riscv/kernel/process.c
> +++ b/arch/riscv/kernel/process.c
> @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
> unsigned long tls = args->tls;
> struct pt_regs *childregs = task_pt_regs(p);
>
> + memset(&p->thread.s, 0, sizeof(p->thread.s));
> +
> /* p->thread holds context to be restored by __switch_to() */
> if (unlikely(args->fn)) {
> /* Kernel thread */
> --
> 2.37.2
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
@ 2022-10-31 19:14 ` Conor Dooley
0 siblings, 0 replies; 10+ messages in thread
From: Conor Dooley @ 2022-10-31 19:14 UTC (permalink / raw)
To: Jisheng Zhang
Cc: Paul Walmsley, Palmer Dabbelt, Albert Ou, Guo Ren, linux-riscv,
linux-kernel
On Sat, Oct 29, 2022 at 07:34:50PM +0800, Jisheng Zhang wrote:
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> ---
>
> Previously, it's one of the series of "riscv: entry: further clean up
> and VMAP_STACK fix". This is a fix, so I move it out of the series and
> send it separately
Should this not be carrying a R-b from Guo Ren from that series?
https://lore.kernel.org/linux-riscv/CAJF2gTSdVyAaM12T+7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/
>
> arch/riscv/kernel/process.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
> index ceb9ebab6558..52002d54b163 100644
> --- a/arch/riscv/kernel/process.c
> +++ b/arch/riscv/kernel/process.c
> @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
> unsigned long tls = args->tls;
> struct pt_regs *childregs = task_pt_regs(p);
>
> + memset(&p->thread.s, 0, sizeof(p->thread.s));
> +
> /* p->thread holds context to be restored by __switch_to() */
> if (unlikely(args->fn)) {
> /* Kernel thread */
> --
> 2.37.2
>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
2022-10-29 11:34 ` Jisheng Zhang
@ 2022-11-10 22:45 ` Palmer Dabbelt
-1 siblings, 0 replies; 10+ messages in thread
From: Palmer Dabbelt @ 2022-11-10 22:45 UTC (permalink / raw)
To: Jisheng Zhang, Guo Ren, Paul Walmsley, Palmer Dabbelt, Albert Ou
Cc: linux-kernel, linux-riscv
On Sat, 29 Oct 2022 19:34:50 +0800, Jisheng Zhang wrote:
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
>
> [...]
Applied, thanks!
[1/1] riscv: process: fix kernel info leakage
https://git.kernel.org/palmer/c/6510c78490c4
Best regards,
--
Palmer Dabbelt <palmer@rivosinc.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
@ 2022-11-10 22:45 ` Palmer Dabbelt
0 siblings, 0 replies; 10+ messages in thread
From: Palmer Dabbelt @ 2022-11-10 22:45 UTC (permalink / raw)
To: Jisheng Zhang, Guo Ren, Paul Walmsley, Palmer Dabbelt, Albert Ou
Cc: linux-kernel, linux-riscv
On Sat, 29 Oct 2022 19:34:50 +0800, Jisheng Zhang wrote:
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
>
> [...]
Applied, thanks!
[1/1] riscv: process: fix kernel info leakage
https://git.kernel.org/palmer/c/6510c78490c4
Best regards,
--
Palmer Dabbelt <palmer@rivosinc.com>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
2022-10-29 11:34 ` Jisheng Zhang
@ 2022-11-10 22:50 ` patchwork-bot+linux-riscv
-1 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+linux-riscv @ 2022-11-10 22:50 UTC (permalink / raw)
To: Jisheng Zhang
Cc: linux-riscv, paul.walmsley, palmer, aou, guoren, linux-kernel
Hello:
This patch was applied to riscv/linux.git (fixes)
by Palmer Dabbelt <palmer@rivosinc.com>:
On Sat, 29 Oct 2022 19:34:50 +0800 you wrote:
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
>
> [...]
Here is the summary with links:
- riscv: process: fix kernel info leakage
https://git.kernel.org/riscv/c/6510c78490c4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] riscv: process: fix kernel info leakage
@ 2022-11-10 22:50 ` patchwork-bot+linux-riscv
0 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+linux-riscv @ 2022-11-10 22:50 UTC (permalink / raw)
To: Jisheng Zhang
Cc: linux-riscv, paul.walmsley, palmer, aou, guoren, linux-kernel
Hello:
This patch was applied to riscv/linux.git (fixes)
by Palmer Dabbelt <palmer@rivosinc.com>:
On Sat, 29 Oct 2022 19:34:50 +0800 you wrote:
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
>
> [...]
Here is the summary with links:
- riscv: process: fix kernel info leakage
https://git.kernel.org/riscv/c/6510c78490c4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-11-10 22:50 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-29 11:34 [PATCH] riscv: process: fix kernel info leakage Jisheng Zhang
2022-10-29 11:34 ` Jisheng Zhang
2022-10-30 0:03 ` Guo Ren
2022-10-30 0:03 ` Guo Ren
2022-10-31 19:14 ` Conor Dooley
2022-10-31 19:14 ` Conor Dooley
2022-11-10 22:45 ` Palmer Dabbelt
2022-11-10 22:45 ` Palmer Dabbelt
2022-11-10 22:50 ` patchwork-bot+linux-riscv
2022-11-10 22:50 ` patchwork-bot+linux-riscv
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.