linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Potential information leak in save_xstate_epilog()
@ 2021-11-26 11:06 Alexander Potapenko
  2021-11-27 20:26 ` Thomas Gleixner
  2021-12-06 18:35 ` Bae, Chang Seok
  0 siblings, 2 replies; 3+ messages in thread
From: Alexander Potapenko @ 2021-11-26 11:06 UTC (permalink / raw)
  To: Chang S. Bae, Thomas Gleixner, Borislav Petkov
  Cc: Dmitriy Vyukov, Marco Elver, Taras Madan, LKML

Hi Chang, Thomas, Borislav,

"x86/fpu/signal: Prepare for variable sigframe length" has presumably
introduced an information leak to the userspace.

According to https://elixir.bootlin.com/linux/v5.16-rc2/source/arch/x86/kernel/fpu/signal.c#L126,
save_sw_bytes() only initializes the first 20 bytes of sw_bytes, but
then the whole struct is copied to the userspace.

KMSAN report follows:

=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user
./include/linux/instrumented.h:121
BUG: KMSAN: kernel-infoleak in __copy_to_user ./include/linux/uaccess.h:154
BUG: KMSAN: kernel-infoleak in save_xstate_epilog+0x2df/0x510
arch/x86/kernel/fpu/signal.c:127
 instrument_copy_to_user ./include/linux/instrumented.h:121
 __copy_to_user ./include/linux/uaccess.h:154
 save_xstate_epilog+0x2df/0x510 arch/x86/kernel/fpu/signal.c:127
 copy_fpstate_to_sigframe+0x861/0xb60 arch/x86/kernel/fpu/signal.c:245
 get_sigframe+0x656/0x7e0 arch/x86/kernel/signal.c:296
 __setup_rt_frame+0x14d/0x2a60 arch/x86/kernel/signal.c:471
 setup_rt_frame arch/x86/kernel/signal.c:781
 handle_signal arch/x86/kernel/signal.c:825
 arch_do_signal_or_restart+0x417/0xdd0 arch/x86/kernel/signal.c:870
 handle_signal_work kernel/entry/common.c:149
 exit_to_user_mode_loop+0x1f6/0x490 kernel/entry/common.c:173
 exit_to_user_mode_prepare kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290
 syscall_exit_to_user_mode+0x7e/0xc0 kernel/entry/common.c:302
 do_syscall_64+0x60/0xd0 arch/x86/entry/common.c:88
 entry_SYSCALL_64_after_hwframe+0x44/0xae ??:?

Local variable sw_bytes created at:
 save_xstate_epilog+0x80/0x510 arch/x86/kernel/fpu/signal.c:121
 copy_fpstate_to_sigframe+0x861/0xb60 arch/x86/kernel/fpu/signal.c:245

Bytes 20-47 of 48 are uninitialized
Memory access of size 48 starts at ffff8880801d3a18
Data copied to user address 00007ffd90e2ef50
=====================================================

-- 
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Straße, 33
80636 München

Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Potential information leak in save_xstate_epilog()
  2021-11-26 11:06 Potential information leak in save_xstate_epilog() Alexander Potapenko
@ 2021-11-27 20:26 ` Thomas Gleixner
  2021-12-06 18:35 ` Bae, Chang Seok
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Gleixner @ 2021-11-27 20:26 UTC (permalink / raw)
  To: Alexander Potapenko, Chang S. Bae, Borislav Petkov
  Cc: Dmitriy Vyukov, Marco Elver, Taras Madan, LKML

On Fri, Nov 26 2021 at 12:06, Alexander Potapenko wrote:
> Hi Chang, Thomas, Borislav,
>
> "x86/fpu/signal: Prepare for variable sigframe length" has presumably
> introduced an information leak to the userspace.
>
> According to https://elixir.bootlin.com/linux/v5.16-rc2/source/arch/x86/kernel/fpu/signal.c#L126,
> save_sw_bytes() only initializes the first 20 bytes of sw_bytes, but
> then the whole struct is copied to the userspace.

Yes, that clearly lacks a memset(0).

Thanks,

        tglx

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Potential information leak in save_xstate_epilog()
  2021-11-26 11:06 Potential information leak in save_xstate_epilog() Alexander Potapenko
  2021-11-27 20:26 ` Thomas Gleixner
@ 2021-12-06 18:35 ` Bae, Chang Seok
  1 sibling, 0 replies; 3+ messages in thread
From: Bae, Chang Seok @ 2021-12-06 18:35 UTC (permalink / raw)
  To: Alexander Potapenko
  Cc: Thomas Gleixner, Borislav Petkov, Dmitriy Vyukov, Marco Elver,
	Taras Madan, LKML

On Nov 26, 2021, at 03:06, Alexander Potapenko <glider@google.com> wrote:
> 
> Hi Chang, Thomas, Borislav,
> 
> "x86/fpu/signal: Prepare for variable sigframe length" has presumably
> introduced an information leak to the userspace.
> 
> According to https://elixir.bootlin.com/linux/v5.16-rc2/source/arch/x86/kernel/fpu/signal.c#L126,
> save_sw_bytes() only initializes the first 20 bytes of sw_bytes, but
> then the whole struct is copied to the userspace.

Looks like your fix was picked already though, thank you for catching this!

Thanks,
Chang

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-06 18:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-26 11:06 Potential information leak in save_xstate_epilog() Alexander Potapenko
2021-11-27 20:26 ` Thomas Gleixner
2021-12-06 18:35 ` Bae, Chang Seok

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).