All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alexey Dobriyan <adobriyan@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	gorcunov@openvz.org, security@kernel.org,
	torvalds@linux-foundation.org
Subject: Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak
Date: Mon, 15 Mar 2021 16:30:14 +0300	[thread overview]
Message-ID: <YE9hZtUSWovMDili@localhost.localdomain> (raw)
In-Reply-To: <20210315102901.GP21246@kadam>

On Mon, Mar 15, 2021 at 01:29:02PM +0300, Dan Carpenter wrote:
> On Sun, Mar 14, 2021 at 11:51:14PM +0300, Alexey Dobriyan wrote:
> > 	prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);
> > 
> > will copy 1 byte from userspace to (quite big) on-stack array
> > and then stash everything to mm->saved_auxv.
> 
> What?  It won't save everything, only the 1 byte.  What am I not seeing?

It does copy 1 byte. How embarassing of me.

I was confused by another way of setting auxv data:

	        if (prctl_map.auxv_size)
	                memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));

This does full array copy but the array is fully initialised so there is
no problem.

Stop the presses!

> kernel/sys.c
>   2073  static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
>   2074                            unsigned long len)
>   2075  {
>   2076          /*
>   2077           * This doesn't move the auxiliary vector itself since it's pinned to
>   2078           * mm_struct, but it permits filling the vector with new values.  It's
>   2079           * up to the caller to provide sane values here, otherwise userspace
>   2080           * tools which use this vector might be unhappy.
>   2081           */
>   2082          unsigned long user_auxv[AT_VECTOR_SIZE] = {};
>   2083  
>   2084          if (len > sizeof(user_auxv))
>   2085                  return -EINVAL;
>   2086  
>   2087          if (copy_from_user(user_auxv, (const void __user *)addr, len))
>                                    ^^^^^^^^^                             ^^^
> Copies one byte from user space.
> 
>   2088                  return -EFAULT;
>   2089  
>   2090          /* Make sure the last entry is always AT_NULL */
>   2091          user_auxv[AT_VECTOR_SIZE - 2] = 0;
>   2092          user_auxv[AT_VECTOR_SIZE - 1] = 0;
>   2093  
>   2094          BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
>   2095  
>   2096          task_lock(current);
>   2097          memcpy(mm->saved_auxv, user_auxv, len);
>                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Saves one byte to mm->saved_auxv.
> 
>   2098          task_unlock(current);
>   2099  
>   2100          return 0;
>   2101  }
> 
> regards,
> dan carpenter
> 

  reply	other threads:[~2021-03-15 13:30 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-14 20:51 [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak Alexey Dobriyan
2021-03-14 21:40 ` Linus Torvalds
2021-03-14 22:24   ` Cyrill Gorcunov
2021-03-15  6:00   ` auxv stuff (Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak) Alexey Dobriyan
2021-03-15  6:42     ` Cyrill Gorcunov
2021-03-16 18:50       ` Alexey Dobriyan
2021-03-16 18:51         ` Cyrill Gorcunov
2021-03-14 22:18 ` [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak Cyrill Gorcunov
2021-03-15 10:29 ` Dan Carpenter
2021-03-15 13:30   ` Alexey Dobriyan [this message]
2021-03-15 12:08 ` Oleg Nesterov
2021-03-15 12:54   ` Cyrill Gorcunov
2021-03-15 13:19     ` Oleg Nesterov
2021-03-15 13:52       ` Cyrill Gorcunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YE9hZtUSWovMDili@localhost.localdomain \
    --to=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=dan.carpenter@oracle.com \
    --cc=gorcunov@openvz.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=security@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.