From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932654AbcIMV36 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 13 Sep 2016 17:29:58 -0400
Received: from mail.kernel.org ([198.145.29.136]:34408 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S932548AbcIMV3x (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Sep 2016 17:29:53 -0400
From: Andy Lutomirski <luto@kernel.org>
To: x86@kernel.org
Cc: Borislav Petkov <bp@alien8.de>, linux-kernel@vger.kernel.org,
        Brian Gerst <brgerst@gmail.com>, Jann Horn <jann@thejh.net>,
        Andy Lutomirski <luto@kernel.org>
Subject: [PATCH 10/12] lib/syscall: Pin the task stack in collect_syscall()
Date: Tue, 13 Sep 2016 14:29:30 -0700
Message-Id: <5b241e82b85e4ecc757f29ae92355064963d9fef.1473801993.git.luto@kernel.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1473801993.git.luto@kernel.org>
References: <cover.1473801993.git.luto@kernel.org>
In-Reply-To: <cover.1473801993.git.luto@kernel.org>
References: <cover.1473801993.git.luto@kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This will avoid a potential read-after-free if collect_syscall()
(e.g. /proc/PID/syscall) is called on an exiting task.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 lib/syscall.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/syscall.c b/lib/syscall.c
index e30e03932480..63239e097b13 100644
--- a/lib/syscall.c
+++ b/lib/syscall.c
@@ -7,9 +7,19 @@ static int collect_syscall(struct task_struct *target, long *callno,
 			   unsigned long args[6], unsigned int maxargs,
 			   unsigned long *sp, unsigned long *pc)
 {
-	struct pt_regs *regs = task_pt_regs(target);
-	if (unlikely(!regs))
+	struct pt_regs *regs;
+
+	if (!try_get_task_stack(target)) {
+		/* Task has no stack, so the task isn't in a syscall. */
+		*callno = -1;
+		return 0;
+	}
+
+	regs = task_pt_regs(target);
+	if (unlikely(!regs)) {
+		put_task_stack(target);
 		return -EAGAIN;
+	}
 
 	*sp = user_stack_pointer(regs);
 	*pc = instruction_pointer(regs);
@@ -18,6 +28,7 @@ static int collect_syscall(struct task_struct *target, long *callno,
 	if (*callno != -1L && maxargs > 0)
 		syscall_get_arguments(target, regs, 0, maxargs, args);
 
+	put_task_stack(target);
 	return 0;
 }
 
-- 
2.7.4