[PATCH 3.10-rc7] Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation

[PATCH 3.10-rc7] Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation

[Mathieu Desnoyers]

This __put_user() could be used by unprivileged processes to write into
kernel memory. The issue here is that even if copy_siginfo_to_user()
fails, the error code is not checked before __put_user() is executed.
Luckily, ptrace_peek_siginfo() has been added within the 3.10-rc cycle,
so it has not hit a stable release yet.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: Andrey Vagin <avagin@openvz.org>
CC: Roland McGrath <roland@redhat.com>
CC: Oleg Nesterov <oleg@redhat.com>
CC: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
CC: David Howells <dhowells@redhat.com>
CC: Dave Jones <davej@redhat.com>
CC: Pavel Emelyanov <xemul@parallels.com>
CC: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Pedro Alves <palves@redhat.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linus Torvalds <torvalds@linux-foundation.org>
---
 kernel/ptrace.c |   20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

Index: linux/kernel/ptrace.c
===================================================================
--- linux.orig/kernel/ptrace.c
+++ linux/kernel/ptrace.c
@@ -665,20 +665,22 @@ static int ptrace_peek_siginfo(struct ta
 		if (unlikely(is_compat_task())) {
 			compat_siginfo_t __user *uinfo = compat_ptr(data);
 
-			ret = copy_siginfo_to_user32(uinfo, &info);
-			ret |= __put_user(info.si_code, &uinfo->si_code);
+			if (copy_siginfo_to_user32(uinfo, &info) ||
+			    __put_user(info.si_code, &uinfo->si_code)) {
+				ret = -EFAULT;
+				break;
+			}
+
 		} else
 #endif
 		{
 			siginfo_t __user *uinfo = (siginfo_t __user *) data;
 
-			ret = copy_siginfo_to_user(uinfo, &info);
-			ret |= __put_user(info.si_code, &uinfo->si_code);
-		}
-
-		if (ret) {
-			ret = -EFAULT;
-			break;
+			if (copy_siginfo_to_user(uinfo, &info) ||
+			    __put_user(info.si_code, &uinfo->si_code)) {
+				ret = -EFAULT;
+				break;
+			}
 		}
 
 		data += sizeof(siginfo_t);

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

Re: [PATCH 3.10-rc7] Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation

[Oleg Nesterov]

On 06/28, Mathieu Desnoyers wrote:
>
> This __put_user() could be used by unprivileged processes to write into
> kernel memory. The issue here is that even if copy_siginfo_to_user()
> fails, the error code is not checked before __put_user() is executed.
> Luckily, ptrace_peek_siginfo() has been added within the 3.10-rc cycle,
> so it has not hit a stable release yet.

Agreed, this looks like 3.10 material.

Acked-by: Oleg Nesterov <oleg@redhat.com>

> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> CC: Andrey Vagin <avagin@openvz.org>
> CC: Roland McGrath <roland@redhat.com>
> CC: Oleg Nesterov <oleg@redhat.com>
> CC: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
> CC: David Howells <dhowells@redhat.com>
> CC: Dave Jones <davej@redhat.com>
> CC: Pavel Emelyanov <xemul@parallels.com>
> CC: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Pedro Alves <palves@redhat.com>
> CC: Andrew Morton <akpm@linux-foundation.org>
> CC: Linus Torvalds <torvalds@linux-foundation.org>
> ---
>  kernel/ptrace.c |   20 +++++++++++---------
>  1 file changed, 11 insertions(+), 9 deletions(-)
> 
> Index: linux/kernel/ptrace.c
> ===================================================================
> --- linux.orig/kernel/ptrace.c
> +++ linux/kernel/ptrace.c
> @@ -665,20 +665,22 @@ static int ptrace_peek_siginfo(struct ta
>  		if (unlikely(is_compat_task())) {
>  			compat_siginfo_t __user *uinfo = compat_ptr(data);
>  
> -			ret = copy_siginfo_to_user32(uinfo, &info);
> -			ret |= __put_user(info.si_code, &uinfo->si_code);
> +			if (copy_siginfo_to_user32(uinfo, &info) ||
> +			    __put_user(info.si_code, &uinfo->si_code)) {
> +				ret = -EFAULT;
> +				break;
> +			}
> +
>  		} else
>  #endif
>  		{
>  			siginfo_t __user *uinfo = (siginfo_t __user *) data;
>  
> -			ret = copy_siginfo_to_user(uinfo, &info);
> -			ret |= __put_user(info.si_code, &uinfo->si_code);
> -		}
> -
> -		if (ret) {
> -			ret = -EFAULT;
> -			break;
> +			if (copy_siginfo_to_user(uinfo, &info) ||
> +			    __put_user(info.si_code, &uinfo->si_code)) {
> +				ret = -EFAULT;
> +				break;
> +			}
>  		}
>  
>  		data += sizeof(siginfo_t);
> 
> -- 
> Mathieu Desnoyers
> EfficiOS Inc.
> http://www.efficios.com

Re: [PATCH 3.10-rc7] Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation

[Linus Torvalds]

On Fri, Jun 28, 2013 at 6:49 AM, Mathieu Desnoyers
<mathieu.desnoyers@efficios.com> wrote:
> This __put_user() could be used by unprivileged processes to write into
> kernel memory. The issue here is that even if copy_siginfo_to_user()
> fails, the error code is not checked before __put_user() is executed.
> Luckily, ptrace_peek_siginfo() has been added within the 3.10-rc cycle,
> so it has not hit a stable release yet.

Why do those stupid

    __put_user(info.si_code, &uinfo->si_code))

things exist at all?

As far as I can tell, copy_siginfo_to_user[32]() already copies
si_code. Is the field really so important that it has to be copied
twice, just to make sure the write makes it?

Ok, ok, I see the explanation in the commit message that introduced
this, but it sure as hell isn't obvious from actually looking at the
code. I'm applying the patch, but I think this should have been a
comment in the code as well.

                 Linus