linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@kernel.org>
To: x86@kernel.org
Cc: Borislav Petkov <bp@alien8.de>,
	linux-kernel@vger.kernel.org, Brian Gerst <brgerst@gmail.com>,
	Jann Horn <jann@thejh.net>, Andy Lutomirski <luto@kernel.org>
Subject: [PATCH 10/12] lib/syscall: Pin the task stack in collect_syscall()
Date: Tue, 13 Sep 2016 14:29:30 -0700	[thread overview]
Message-ID: <5b241e82b85e4ecc757f29ae92355064963d9fef.1473801993.git.luto@kernel.org> (raw)
In-Reply-To: <cover.1473801993.git.luto@kernel.org>
In-Reply-To: <cover.1473801993.git.luto@kernel.org>

This will avoid a potential read-after-free if collect_syscall()
(e.g. /proc/PID/syscall) is called on an exiting task.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 lib/syscall.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/syscall.c b/lib/syscall.c
index e30e03932480..63239e097b13 100644
--- a/lib/syscall.c
+++ b/lib/syscall.c
@@ -7,9 +7,19 @@ static int collect_syscall(struct task_struct *target, long *callno,
 			   unsigned long args[6], unsigned int maxargs,
 			   unsigned long *sp, unsigned long *pc)
 {
-	struct pt_regs *regs = task_pt_regs(target);
-	if (unlikely(!regs))
+	struct pt_regs *regs;
+
+	if (!try_get_task_stack(target)) {
+		/* Task has no stack, so the task isn't in a syscall. */
+		*callno = -1;
+		return 0;
+	}
+
+	regs = task_pt_regs(target);
+	if (unlikely(!regs)) {
+		put_task_stack(target);
 		return -EAGAIN;
+	}
 
 	*sp = user_stack_pointer(regs);
 	*pc = instruction_pointer(regs);
@@ -18,6 +28,7 @@ static int collect_syscall(struct task_struct *target, long *callno,
 	if (*callno != -1L && maxargs > 0)
 		syscall_get_arguments(target, regs, 0, maxargs, args);
 
+	put_task_stack(target);
 	return 0;
 }
 
-- 
2.7.4

  parent reply	other threads:[~2016-09-13 21:29 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-13 21:29 [PATCH 00/12] thread_info cleanups and stack caching Andy Lutomirski
2016-09-13 21:29 ` [PATCH 01/12] x86/asm: Move 'status' from struct thread_info to struct thread_struct Andy Lutomirski
2016-09-15 10:41   ` [tip:x86/asm] x86/asm: Move the thread_info::status field to thread_struct tip-bot for Andy Lutomirski
2016-09-13 21:29 ` [PATCH 02/12] x86/entry: Get rid of pt_regs_to_thread_info() Andy Lutomirski
2016-09-15  6:21   ` Ingo Molnar
2016-09-15 10:42   ` [tip:x86/asm] " tip-bot for Linus Torvalds
2016-09-13 21:29 ` [PATCH 03/12] um: Stop conflating task_struct::stack with thread_info Andy Lutomirski
2016-09-15  6:21   ` Ingo Molnar
2016-09-15 10:42   ` [tip:x86/asm] um/Stop " tip-bot for Linus Torvalds
2016-09-13 21:29 ` [PATCH 04/12] sched: Allow putting thread_info into task_struct Andy Lutomirski
2016-09-15 10:43   ` [tip:x86/asm] sched/core: " tip-bot for Andy Lutomirski
2016-09-13 21:29 ` [PATCH 05/12] x86: Move " Andy Lutomirski
2016-09-15 10:43   ` [tip:x86/asm] " tip-bot for Andy Lutomirski
2016-09-13 21:29 ` [PATCH 06/12] sched: Add try_get_task_stack() and put_task_stack() Andy Lutomirski
2016-09-13 21:29 ` [PATCH 07/12] kthread: to_live_kthread() needs try_get_task_stack() Andy Lutomirski
2016-09-13 21:29 ` [PATCH 08/12] x86/dumpstack: Pin the target stack in save_stack_trace_tsk() Andy Lutomirski
2016-09-14 14:55   ` Josh Poimboeuf
2016-09-14 18:22     ` Andy Lutomirski
2016-09-14 18:35       ` Josh Poimboeuf
2016-09-15 18:04         ` Andy Lutomirski
2016-09-15 18:37           ` Josh Poimboeuf
2016-09-15 18:41             ` Andy Lutomirski
2016-09-15 19:19               ` Josh Poimboeuf
2016-09-16  7:47                 ` Peter Zijlstra
2016-09-16 15:12                   ` Andy Lutomirski
2016-09-16 15:31                     ` Peter Zijlstra
2016-09-16 15:32                       ` Andy Lutomirski
2016-09-16 16:35                         ` Peter Zijlstra
2016-09-15  6:37   ` Ingo Molnar
     [not found]     ` <CA+55aFxt=HLrELBE=BXUrWdh6LYs4gtu9S=yCruiDffq4HN80w@mail.gmail.com>
2016-09-15  9:27       ` Ingo Molnar
2016-09-13 21:29 ` [PATCH 09/12] x86/process: Pin the target stack in get_wchan() Andy Lutomirski
2016-09-17  2:00   ` Jann Horn
2016-09-22 22:44     ` Andy Lutomirski
2016-09-22 22:50       ` Andy Lutomirski
2016-09-23  7:43       ` Jann Horn
2016-09-23 18:28         ` Kees Cook
2016-09-23 18:34           ` Jann Horn
2016-09-26  5:10             ` Tycho Andersen
2016-09-13 21:29 ` Andy Lutomirski [this message]
2016-09-13 21:29 ` [PATCH 11/12] sched: Free the stack early if CONFIG_THREAD_INFO_IN_TASK Andy Lutomirski
2016-09-13 21:29 ` [PATCH 12/12] fork: Cache two thread stacks per cpu if CONFIG_VMAP_STACK is set Andy Lutomirski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5b241e82b85e4ecc757f29ae92355064963d9fef.1473801993.git.luto@kernel.org \
    --to=luto@kernel.org \
    --cc=bp@alien8.de \
    --cc=brgerst@gmail.com \
    --cc=jann@thejh.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).