From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 496FFC433E1 for ; Sat, 1 Aug 2020 20:10:35 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0CDA520719 for ; Sat, 1 Aug 2020 20:10:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0CDA520719 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ubuntu.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-kernel-mentees-bounces@lists.linuxfoundation.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id D022120404; Sat, 1 Aug 2020 20:10:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtucpxUt3eGc; Sat, 1 Aug 2020 20:10:30 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id BEB56203D6; Sat, 1 Aug 2020 20:10:30 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B15D1C0050; Sat, 1 Aug 2020 20:10:30 +0000 (UTC) Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 99F55C004D for ; Sat, 1 Aug 2020 20:10:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 8C4DF87CB1 for ; Sat, 1 Aug 2020 20:10:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4FHJNCzloVE for ; Sat, 1 Aug 2020 20:10:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by whitealder.osuosl.org (Postfix) with ESMTPS id 79276888D6 for ; Sat, 1 Aug 2020 20:10:27 +0000 (UTC) Received: from ip5f5af08c.dynamic.kabel-deutschland.de ([95.90.240.140] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1k1xpe-00044g-DI; Sat, 01 Aug 2020 20:10:14 +0000 Date: Sat, 1 Aug 2020 22:10:13 +0200 From: Christian Brauner To: "Dmitry V. Levin" Message-ID: <20200801201013.gjqj4digttp2rtmj@wittgenstein> References: <20200801020841.227522-1-yepeilin.cs@gmail.com> <20200801152044.230416-1-yepeilin.cs@gmail.com> <20200801160818.GB4964@altlinux.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200801160818.GB4964@altlinux.org> Cc: linux-kernel@vger.kernel.org, Arnd Bergmann , Oleg Nesterov , Peilin Ye , Elvira Khabirova , linux-api@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, Eugene Syromyatnikov , Dan Carpenter Subject: Re: [Linux-kernel-mentees] [PATCH v3] ptrace: Prevent kernel-infoleak in ptrace_get_syscall_info() X-BeenThere: linux-kernel-mentees@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-kernel-mentees-bounces@lists.linuxfoundation.org Sender: "Linux-kernel-mentees" On Sat, Aug 01, 2020 at 07:08:19PM +0300, Dmitry V. Levin wrote: > On Sat, Aug 01, 2020 at 11:20:44AM -0400, Peilin Ye wrote: > > ptrace_get_syscall_info() is potentially copying uninitialized stack > > memory to userspace, since the compiler may leave a 3-byte hole near the > > beginning of `info`. Fix it by adding a padding field to `struct > > ptrace_syscall_info`. > > > > Cc: stable@vger.kernel.org > > Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request") > > Suggested-by: Dan Carpenter > > Signed-off-by: Peilin Ye > > --- > > Change in v3: > > - Remove unnecessary `__aligned__` attribute. (Suggested by > > Dmitry V. Levin ) > > > > Change in v2: > > - Add a padding field to `struct ptrace_syscall_info`, instead of > > doing memset() on `info`. (Suggested by Dmitry V. Levin > > ) > > > > Reference: https://lwn.net/Articles/417989/ > > > > $ # before: > > $ pahole -C "ptrace_syscall_info" kernel/ptrace.o > > struct ptrace_syscall_info { > > __u8 op; /* 0 1 */ > > > > /* XXX 3 bytes hole, try to pack */ > > > > __u32 arch __attribute__((__aligned__(4))); /* 4 4 */ > > __u64 instruction_pointer; /* 8 8 */ > > __u64 stack_pointer; /* 16 8 */ > > union { > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > } entry; /* 24 56 */ > > struct { > > __s64 rval; /* 24 8 */ > > __u8 is_error; /* 32 1 */ > > } exit; /* 24 16 */ > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ > > __u32 ret_data; /* 80 4 */ > > } seccomp; /* 24 64 */ > > }; /* 24 64 */ > > > > /* size: 88, cachelines: 2, members: 5 */ > > /* sum members: 85, holes: 1, sum holes: 3 */ > > /* forced alignments: 1, forced holes: 1, sum forced holes: 3 */ > > /* last cacheline: 24 bytes */ > > } __attribute__((__aligned__(8))); > > $ > > $ # after: > > $ pahole -C "ptrace_syscall_info" kernel/ptrace.o > > struct ptrace_syscall_info { > > __u8 op; /* 0 1 */ > > __u8 pad[3]; /* 1 3 */ > > __u32 arch; /* 4 4 */ > > __u64 instruction_pointer; /* 8 8 */ > > __u64 stack_pointer; /* 16 8 */ > > union { > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > } entry; /* 24 56 */ > > struct { > > __s64 rval; /* 24 8 */ > > __u8 is_error; /* 32 1 */ > > } exit; /* 24 16 */ > > struct { > > __u64 nr; /* 24 8 */ > > __u64 args[6]; /* 32 48 */ > > /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */ > > __u32 ret_data; /* 80 4 */ > > } seccomp; /* 24 64 */ > > }; /* 24 64 */ > > > > /* size: 88, cachelines: 2, members: 6 */ > > /* last cacheline: 24 bytes */ > > }; > > $ _ > > > > include/uapi/linux/ptrace.h | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h > > index a71b6e3b03eb..83ee45fa634b 100644 > > --- a/include/uapi/linux/ptrace.h > > +++ b/include/uapi/linux/ptrace.h > > @@ -81,7 +81,8 @@ struct seccomp_metadata { > > > > struct ptrace_syscall_info { > > __u8 op; /* PTRACE_SYSCALL_INFO_* */ > > - __u32 arch __attribute__((__aligned__(sizeof(__u32)))); > > + __u8 pad[3]; > > + __u32 arch; > > __u64 instruction_pointer; > > __u64 stack_pointer; > > union { > > Reviewed-by: Dmitry V. Levin Acked-by: Christian Brauner Oh fun. I'd pick this up and run the ptrace tests that we have for this. If they pass I'd apply to my fixes branch and send after the merge window unless I hear objections. Fwiw, what was the original reason for using __attribute__((__aligned__(sizeof(__u32))))? b4 mbox is failing to download the relevant thread(s) for me. Thanks! Christian _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees