From: Alexey Dobriyan <adobriyan@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
gorcunov@openvz.org, security@kernel.org,
torvalds@linux-foundation.org
Subject: Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak
Date: Mon, 15 Mar 2021 16:30:14 +0300 [thread overview]
Message-ID: <YE9hZtUSWovMDili@localhost.localdomain> (raw)
In-Reply-To: <20210315102901.GP21246@kadam>
On Mon, Mar 15, 2021 at 01:29:02PM +0300, Dan Carpenter wrote:
> On Sun, Mar 14, 2021 at 11:51:14PM +0300, Alexey Dobriyan wrote:
> > prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);
> >
> > will copy 1 byte from userspace to (quite big) on-stack array
> > and then stash everything to mm->saved_auxv.
>
> What? It won't save everything, only the 1 byte. What am I not seeing?
It does copy 1 byte. How embarassing of me.
I was confused by another way of setting auxv data:
if (prctl_map.auxv_size)
memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
This does full array copy but the array is fully initialised so there is
no problem.
Stop the presses!
> kernel/sys.c
> 2073 static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
> 2074 unsigned long len)
> 2075 {
> 2076 /*
> 2077 * This doesn't move the auxiliary vector itself since it's pinned to
> 2078 * mm_struct, but it permits filling the vector with new values. It's
> 2079 * up to the caller to provide sane values here, otherwise userspace
> 2080 * tools which use this vector might be unhappy.
> 2081 */
> 2082 unsigned long user_auxv[AT_VECTOR_SIZE] = {};
> 2083
> 2084 if (len > sizeof(user_auxv))
> 2085 return -EINVAL;
> 2086
> 2087 if (copy_from_user(user_auxv, (const void __user *)addr, len))
> ^^^^^^^^^ ^^^
> Copies one byte from user space.
>
> 2088 return -EFAULT;
> 2089
> 2090 /* Make sure the last entry is always AT_NULL */
> 2091 user_auxv[AT_VECTOR_SIZE - 2] = 0;
> 2092 user_auxv[AT_VECTOR_SIZE - 1] = 0;
> 2093
> 2094 BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
> 2095
> 2096 task_lock(current);
> 2097 memcpy(mm->saved_auxv, user_auxv, len);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Saves one byte to mm->saved_auxv.
>
> 2098 task_unlock(current);
> 2099
> 2100 return 0;
> 2101 }
>
> regards,
> dan carpenter
>
next prev parent reply other threads:[~2021-03-15 13:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-14 20:51 [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak Alexey Dobriyan
2021-03-14 21:40 ` Linus Torvalds
2021-03-14 22:24 ` Cyrill Gorcunov
2021-03-15 6:00 ` auxv stuff (Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak) Alexey Dobriyan
2021-03-15 6:42 ` Cyrill Gorcunov
2021-03-16 18:50 ` Alexey Dobriyan
2021-03-16 18:51 ` Cyrill Gorcunov
2021-03-14 22:18 ` [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak Cyrill Gorcunov
2021-03-15 10:29 ` Dan Carpenter
2021-03-15 13:30 ` Alexey Dobriyan [this message]
2021-03-15 12:08 ` Oleg Nesterov
2021-03-15 12:54 ` Cyrill Gorcunov
2021-03-15 13:19 ` Oleg Nesterov
2021-03-15 13:52 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YE9hZtUSWovMDili@localhost.localdomain \
--to=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=dan.carpenter@oracle.com \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.