lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 26 Sep 2018 17:17:25 +0200
From:   Alexander Potapenko <glider@...gle.com>
To:     oleg@...hat.com
Cc:     linux-kernel@...r.kernel.org, dvyukov@...gle.com,
        andreyknvl@...gle.com, w@....eu, avagin@...nvz.org
Subject: [PATCH] ptrace: zero out siginfo_t in ptrace_peek_siginfo()

KMSAN reported the following infoleak:

==================================================================
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x15d/0x1f0
...
Call Trace:
 __dump_stack lib/dump_stack.c:77
 dump_stack+0x2f5/0x430 lib/dump_stack.c:113
 kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:917
 kmsan_internal_check_memory+0x17e/0x1f0 mm/kmsan/kmsan.c:981
 kmsan_copy_to_user+0x79/0xc0 mm/kmsan/kmsan_hooks.c:482
 _copy_to_user+0x15d/0x1f0 lib/usercopy.c:31
 copy_to_user ./include/linux/uaccess.h:183
 copy_siginfo_to_user+0x81/0x130 kernel/signal.c:2897
 ptrace_peek_siginfo kernel/ptrace.c:741
 ptrace_request+0x2278/0x2680 kernel/ptrace.c:912
 arch_ptrace+0xbdd/0x11a0 arch/x86/kernel/ptrace.c:877
 __do_sys_ptrace kernel/ptrace.c:1145
 __se_sys_ptrace+0x422/0x920 kernel/ptrace.c:1110
 __x64_sys_ptrace+0x56/0x70 kernel/ptrace.c:1110
 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7 arch/x86/entry/entry_64.S:240
...
Local variable description: ----info.i@...ace_request
Variable was created at:
 ptrace_peek_siginfo kernel/ptrace.c:712
 ptrace_request+0xdf/0x2680 kernel/ptrace.c:912
 arch_ptrace+0xbdd/0x11a0 arch/x86/kernel/ptrace.c:877

Bytes 16-127 of 128 are uninitialized
Memory access starts at ffff88007af6fc90
==================================================================

when calling ptrace(PTRACE_PEEKSIGINFO) for a traceable child process
with args = {-1, 0, 1}.

Initialize the |info| structure to avoid leaking stack data.

Signed-off-by: Alexander Potapenko <glider@...gle.com>
Reported-by: syzbot+69c3bd9869b32e394c48@...kaller.appspotmail.com
Fixes: 84c751bd4aebb ("ptrace: add ability to retrieve signals without
removing from a queue (v4)")
Cc: Andrey Vagin <avagin@...nvz.org>
Cc: Oleg Nesterov <oleg@...hat.com>
Cc: Willy Tarreau <w@....eu>
---
 kernel/ptrace.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 21fec73d45d4..92c3855c2b9c 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -712,6 +712,7 @@ static int ptrace_peek_siginfo(struct task_struct *child,
 		siginfo_t info;
 		s32 off = arg.off + i;
 
+		memset(&info, 0, sizeof(info));
 		spin_lock_irq(&child->sighand->siglock);
 		list_for_each_entry(q, &pending->list, list) {
 			if (!off--) {
-- 
2.19.0.605.g01d371f741-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ