From: Kees Cook <keescook@chromium.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk,
glider@google.com, arnd@arndb.de, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, rafael@kernel.org,
syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] libfs: fix infoleak in simple_attr_read()
Date: Sun, 22 Mar 2020 09:57:03 -0700 [thread overview]
Message-ID: <202003220954.24E1E2EB5E@keescook> (raw)
In-Reply-To: <20200308023849.988264-1-ebiggers@kernel.org>
On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Reading from a debugfs file at a nonzero position, without first reading
> at position 0, leaks uninitialized memory to userspace.
>
> It's a bit tricky to do this, since lseek() and pread() aren't allowed
> on these files, and write() doesn't update the position on them. But
> writing to them with splice() *does* update the position:
>
> #define _GNU_SOURCE 1
> #include <fcntl.h>
> #include <stdio.h>
> #include <unistd.h>
> int main()
> {
> int pipes[2], fd, n, i;
> char buf[32];
>
> pipe(pipes);
> write(pipes[1], "0", 1);
> fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> splice(pipes[0], NULL, fd, NULL, 1, 0);
> n = read(fd, buf, sizeof(buf));
> for (i = 0; i < n; i++)
> printf("%02x", buf[i]);
> printf("\n");
> }
>
> Output:
> 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
>
> Fix the infoleak by making simple_attr_read() always fill
> simple_attr::get_buf if it hasn't been filled yet.
>
> Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
> Reported-by: Alexander Potapenko <glider@google.com>
> Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Yikes, that's an important fix!
Acked-by: Kees Cook <keescook@chromium.org>
Luckily (as Alexander mentioned too), most distros make debugfs
non-accessible by non-root (I hope):
$ ls -lda /sys/kernel/debug
drwx------ 39 root root 0 Jan 8 09:10 /sys/kernel/debug/
That function is also exposed via DEFINE_SIMPLE_ATTRIBUTE(), but those
users appear to also be mostly (all?) debugfs too.
And, just to note, for v5.3 and later, this would be fully mitigated by
booting with "init_on_alloc=1".
-Kees
> ---
> fs/libfs.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/fs/libfs.c b/fs/libfs.c
> index c686bd9caac6..3759fbacf522 100644
> --- a/fs/libfs.c
> +++ b/fs/libfs.c
> @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
> {
> struct simple_attr *attr;
>
> - attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> + attr = kzalloc(sizeof(*attr), GFP_KERNEL);
> if (!attr)
> return -ENOMEM;
>
> @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
> if (ret)
> return ret;
>
> - if (*ppos) { /* continued read */
> + if (*ppos && attr->get_buf[0]) {
> + /* continued read */
> size = strlen(attr->get_buf);
> - } else { /* first read */
> + } else {
> + /* first read */
> u64 val;
> ret = attr->get(attr->data, &val);
> if (ret)
> --
> 2.25.1
>
--
Kees Cook
prev parent reply other threads:[~2020-03-22 16:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-27 9:29 KMSAN: uninit-value in simple_attr_read syzbot
2020-02-27 11:57 ` Alexander Potapenko
2020-03-04 14:36 ` Alexander Potapenko
2020-03-08 2:38 ` [PATCH] libfs: fix infoleak in simple_attr_read() Eric Biggers
2020-03-13 16:45 ` Eric Biggers
2020-03-18 16:39 ` Eric Biggers
2020-03-22 3:56 ` Eric Biggers
2020-03-24 12:13 ` Greg KH
2020-03-22 16:57 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202003220954.24E1E2EB5E@keescook \
--to=keescook@chromium.org \
--cc=arnd@arndb.de \
--cc=ebiggers@kernel.org \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).