lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJu-Uz4r+s=v8p_jzd=fsa8+e8c4dH3S5iN60u8EFT0O_X2DOw@mail.gmail.com>
Date:   Thu, 2 May 2019 14:49:14 -0700
From:   Yury Norov <norov.maillist@...il.com>
To:     Joel Savitz <jsavitz@...hat.com>
Cc:     linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...nel.org>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Waiman Long <longman@...hat.com>,
        Mauro Carvalho Chehab <mchehab+samsung@...nel.org>,
        Kristina Martsenko <kristina.martsenko@....com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        Kees Cook <keescook@...omium.org>,
        "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
        YueHaibing <yuehaibing@...wei.com>,
        Micah Morton <mortonm@...omium.org>,
        Yang Shi <yang.shi@...ux.alibaba.com>,
        Jann Horn <jannh@...gle.com>,
        Alexey Dobriyan <adobriyan@...il.com>,
        Rafael Aquini <aquini@...hat.com>,
        Michael Kerrisk <mtk.manpages@...il.com>, yury.norov@...il.com
Subject: Re: [PATCH v2 1/2] kernel/sys: add PR_GET_TASK_SIZE option to prctl(2)

чт, 2 мая 2019 г. в 13:52, Joel Savitz <jsavitz@...hat.com>:
>
> When PR_GET_TASK_SIZE is passed to prctl, the kernel will attempt to
> copy the value of TASK_SIZE to the userspace address in arg2.
>
> Suggested-by: Alexey Dobriyan <adobriyan@...il.com>
> Signed-off-by: Joel Savitz <jsavitz@...hat.com>
> ---
>  include/uapi/linux/prctl.h |  3 +++
>  kernel/sys.c               | 10 ++++++++++
>  2 files changed, 13 insertions(+)
>
> diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
> index 094bb03b9cc2..2335fe0a8db8 100644
> --- a/include/uapi/linux/prctl.h
> +++ b/include/uapi/linux/prctl.h
> @@ -229,4 +229,7 @@ struct prctl_mm_map {
>  # define PR_PAC_APDBKEY                        (1UL << 3)
>  # define PR_PAC_APGAKEY                        (1UL << 4)
>
> +/* Get the process virtual memory size */
> +#define PR_GET_TASK_SIZE               55
> +
>  #endif /* _LINUX_PRCTL_H */
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 12df0e5434b8..7ced7dbd035d 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2252,6 +2252,13 @@ static int propagate_has_child_subreaper(struct task_struct *p, void *data)
>         return 1;
>  }
>
> +static int prctl_get_tasksize(void __user * uaddr)
> +{
> +       unsigned long task_size = TASK_SIZE;
> +       return copy_to_user(uaddr, &task_size, sizeof(unsigned long))
> +                       ? -EFAULT : 0;
> +}
> +

Joel, you missed my point from the comment to v1.
This is still broken for compat architectures. On 64 bit machines
compat userspace
has unsigned long as u32, and therefore you corrupt user data.


>  int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
>  {
>         return -EINVAL;
> @@ -2486,6 +2493,9 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
>                         return -EINVAL;
>                 error = PAC_RESET_KEYS(me, arg2);
>                 break;
> +       case PR_GET_TASK_SIZE:
> +               error = prctl_get_tasksize((void *)arg2) ;
> +               break;
>         default:
>                 error = -EINVAL;
>                 break;
> --
> 2.18.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ