[PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user

linux-api.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user
@ 2019-12-28  1:48 Sargun Dhillon
  2019-12-28  2:06 ` Aleksa Sarai
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Sargun Dhillon @ 2019-12-28  1:48 UTC (permalink / raw)
  To: linux-kernel, linux-api; +Cc: tycho, jannh, christian.brauner, keescook, cyphar

This patch is a small change in enforcement of the uapi for
SECCOMP_IOCTL_NOTIF_RECV ioctl. Specifically, the datastructure which
is passed (seccomp_notif) must be zeroed out. Previously any of its
members could be set to nonsense values, and we would ignore it.

This ensures all fields are set to their zero value.

This relies on the seccomp_notif datastructure to not have
any unnamed padding, as it is valid to initialize the datastructure
as:

  struct seccomp_notif notif = {};

This only initializes named members to their 0-value [1].

[1]: https://lore.kernel.org/lkml/20191227023131.klnobtlfgeqcmvbb@yavin.dot.cyphar.com/

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Cc: Kees Cook <keescook@chromium.org>
---
 kernel/seccomp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 12d2227e5786..4fd73cbdd01e 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1026,6 +1026,12 @@ static long seccomp_notify_recv(struct seccomp_filter *filter,
 	struct seccomp_notif unotif;
 	ssize_t ret;
 
+	ret = check_zeroed_user(buf, sizeof(unotif));
+	if (ret < 0)
+		return ret;
+	if (!ret)
+		return -EINVAL;
+
 	memset(&unotif, 0, sizeof(unotif));
 
 	ret = down_interruptible(&filter->notif->request);
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user
  2019-12-28  1:48 [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user Sargun Dhillon
@ 2019-12-28  2:06 ` Aleksa Sarai
  2019-12-28  3:49 ` Tycho Andersen
  2019-12-28  7:09 ` Christian Brauner
  2 siblings, 0 replies; 4+ messages in thread
From: Aleksa Sarai @ 2019-12-28  2:06 UTC (permalink / raw)
  To: Sargun Dhillon
  Cc: linux-kernel, linux-api, tycho, jannh, christian.brauner, keescook

[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]

On 2019-12-28, Sargun Dhillon <sargun@sargun.me> wrote:
> This patch is a small change in enforcement of the uapi for
> SECCOMP_IOCTL_NOTIF_RECV ioctl. Specifically, the datastructure which
> is passed (seccomp_notif) must be zeroed out. Previously any of its
> members could be set to nonsense values, and we would ignore it.
> 
> This ensures all fields are set to their zero value.
> 
> This relies on the seccomp_notif datastructure to not have
> any unnamed padding, as it is valid to initialize the datastructure
> as:
> 
>   struct seccomp_notif notif = {};
> 
> This only initializes named members to their 0-value [1].
> 
> [1]: https://lore.kernel.org/lkml/20191227023131.klnobtlfgeqcmvbb@yavin.dot.cyphar.com/
> 
> Signed-off-by: Sargun Dhillon <sargun@sargun.me>
> Cc: Kees Cook <keescook@chromium.org>

Looks good.

Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>

> ---
>  kernel/seccomp.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 12d2227e5786..4fd73cbdd01e 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -1026,6 +1026,12 @@ static long seccomp_notify_recv(struct seccomp_filter *filter,
>  	struct seccomp_notif unotif;
>  	ssize_t ret;
>  
> +	ret = check_zeroed_user(buf, sizeof(unotif));
> +	if (ret < 0)
> +		return ret;
> +	if (!ret)
> +		return -EINVAL;
> +
>  	memset(&unotif, 0, sizeof(unotif));
>  
>  	ret = down_interruptible(&filter->notif->request);
> -- 
> 2.20.1
> 


-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user
  2019-12-28  1:48 [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user Sargun Dhillon
  2019-12-28  2:06 ` Aleksa Sarai
@ 2019-12-28  3:49 ` Tycho Andersen
  2019-12-28  7:09 ` Christian Brauner
  2 siblings, 0 replies; 4+ messages in thread
From: Tycho Andersen @ 2019-12-28  3:49 UTC (permalink / raw)
  To: Sargun Dhillon
  Cc: linux-kernel, linux-api, jannh, christian.brauner, keescook, cyphar

On Sat, Dec 28, 2019 at 01:48:51AM +0000, Sargun Dhillon wrote:
> This patch is a small change in enforcement of the uapi for
> SECCOMP_IOCTL_NOTIF_RECV ioctl. Specifically, the datastructure which
> is passed (seccomp_notif) must be zeroed out. Previously any of its
> members could be set to nonsense values, and we would ignore it.
> 
> This ensures all fields are set to their zero value.
> 
> This relies on the seccomp_notif datastructure to not have
> any unnamed padding, as it is valid to initialize the datastructure
> as:
> 
>   struct seccomp_notif notif = {};
> 
> This only initializes named members to their 0-value [1].
> 
> [1]: https://lore.kernel.org/lkml/20191227023131.klnobtlfgeqcmvbb@yavin.dot.cyphar.com/
> 
> Signed-off-by: Sargun Dhillon <sargun@sargun.me>

Acked-by: Tycho Andersen <tycho@tycho.ws>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user
  2019-12-28  1:48 [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user Sargun Dhillon
  2019-12-28  2:06 ` Aleksa Sarai
  2019-12-28  3:49 ` Tycho Andersen
@ 2019-12-28  7:09 ` Christian Brauner
  2 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2019-12-28  7:09 UTC (permalink / raw)
  To: Sargun Dhillon; +Cc: linux-kernel, linux-api, tycho, jannh, keescook, cyphar

On Sat, Dec 28, 2019 at 01:48:51AM +0000, Sargun Dhillon wrote:
> This patch is a small change in enforcement of the uapi for
> SECCOMP_IOCTL_NOTIF_RECV ioctl. Specifically, the datastructure which
> is passed (seccomp_notif) must be zeroed out. Previously any of its
> members could be set to nonsense values, and we would ignore it.
> 
> This ensures all fields are set to their zero value.

The upper part is correct and useful.

> 
> This relies on the seccomp_notif datastructure to not have
> any unnamed padding, as it is valid to initialize the datastructure
> as:
> 
>   struct seccomp_notif notif = {};

The interesting part here is accidently leaking kernel addresses to
userspace. For this to be an issue we'd need to do
struct seccomp_notif unotif = {};
copy_to_user(<user-buffer>, &unotif, sizeof(unotif))
_and_ seccomp_notif would need to contain unintentional padding. Even if
the latter were true we still use memset() anwyay and will likely never
remove it. So the code here sure doesn't rely or depends on correct
padding at all. 

> 
> This only initializes named members to their 0-value [1].
> 
> [1]: https://lore.kernel.org/lkml/20191227023131.klnobtlfgeqcmvbb@yavin.dot.cyphar.com/

That link isn't useful and also incorrectly claims that there is
non-intentional padding in the struct which there isn't.

Just drop that whole paragraph. The expectation is that all of our ABIs
are correctly padded anyway and this really just confuses more than it
helps.
Please resend, otherwise:

Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>

But see a small comment below.

> 
> Signed-off-by: Sargun Dhillon <sargun@sargun.me>
> Cc: Kees Cook <keescook@chromium.org>
> ---
>  kernel/seccomp.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 12d2227e5786..4fd73cbdd01e 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -1026,6 +1026,12 @@ static long seccomp_notify_recv(struct seccomp_filter *filter,
>  	struct seccomp_notif unotif;
>  	ssize_t ret;
>  
> +	ret = check_zeroed_user(buf, sizeof(unotif));

It wouldn't hurt to place a small comment here so the reader can easily
spot we've ensured that this struct can be extended. But up to you...

/* Verify that we're not given garbage to keep struct extensible. */

> +	if (ret < 0)
> +		return ret;
> +	if (!ret)
> +		return -EINVAL;
> +
>  	memset(&unotif, 0, sizeof(unotif));
>  
>  	ret = down_interruptible(&filter->notif->request);
> -- 
> 2.20.1
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-12-28  7:09 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-28  1:48 [PATCH v2 2/2] seccomp: Check that seccomp_notif is zeroed out by the user Sargun Dhillon
2019-12-28  2:06 ` Aleksa Sarai
2019-12-28  3:49 ` Tycho Andersen
2019-12-28  7:09 ` Christian Brauner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).