lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 27 Jul 2015 11:53:33 -0700
From:	Kees Cook <keescook@...omium.org>
To:	Michael Ellerman <mpe@...erman.id.au>
Cc:	"linuxppc-dev@...abs.org" <linuxppc-dev@...abs.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Andy Lutomirski <luto@...capital.net>,
	Will Drewry <wad@...omium.org>, strosake@...ux.vnet.ibm.com,
	bogdan.purcareata@...escale.com
Subject: Re: [PATCH 07/11] powerpc: Change syscall_get_nr() to return int

On Thu, Jul 23, 2015 at 3:21 AM, Michael Ellerman <mpe@...erman.id.au> wrote:
> The documentation for syscall_get_nr() in asm-generic says:
>
>  Note this returns int even on 64-bit machines. Only 32 bits of
>  system call number can be meaningful. If the actual arch value
>  is 64 bits, this truncates to 32 bits so 0xffffffff means -1.
>
> However our implementation was never updated to reflect this.
>
> Generally it's not important, but there is once case where it matters.
>
> For seccomp filter with SECCOMP_RET_TRACE, the tracer will set
> regs->gpr[0] to -1 to reject the syscall. When the task is a compat
> task, this means we end up with 0xffffffff in r0 because ptrace will
> zero extend the 32-bit value.
>
> If syscall_get_nr() returns an unsigned long, then a 64-bit kernel will
> see a positive value in r0 and will incorrectly allow the syscall
> through seccomp.
>
> Signed-off-by: Michael Ellerman <mpe@...erman.id.au>

Reviewed-by: Kees Cook <keescook@...omium.org>

-Kees

> ---
>  arch/powerpc/include/asm/syscall.h | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h
> index 8d79a87c0511..ab9f3f0a8637 100644
> --- a/arch/powerpc/include/asm/syscall.h
> +++ b/arch/powerpc/include/asm/syscall.h
> @@ -22,10 +22,15 @@
>  extern const unsigned long sys_call_table[];
>  #endif /* CONFIG_FTRACE_SYSCALLS */
>
> -static inline long syscall_get_nr(struct task_struct *task,
> -                                 struct pt_regs *regs)
> +static inline int syscall_get_nr(struct task_struct *task, struct pt_regs *regs)
>  {
> -       return TRAP(regs) == 0xc00 ? regs->gpr[0] : -1L;
> +       /*
> +        * Note that we are returning an int here. That means 0xffffffff, ie.
> +        * 32-bit negative 1, will be interpreted as -1 on a 64-bit kernel.
> +        * This is important for seccomp so that compat tasks can set r0 = -1
> +        * to reject the syscall.
> +        */
> +       return TRAP(regs) == 0xc00 ? regs->gpr[0] : -1;
>  }
>
>  static inline void syscall_rollback(struct task_struct *task,
> --
> 2.1.0
>



-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ