| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 May 2019 14:49:14 -0700
From: Yury Norov <norov.maillist@...il.com>
To: Joel Savitz <jsavitz@...hat.com>
Cc: linux-kernel@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Waiman Long <longman@...hat.com>,
Mauro Carvalho Chehab <mchehab+samsung@...nel.org>,
Kristina Martsenko <kristina.martsenko@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Cyrill Gorcunov <gorcunov@...il.com>,
Kees Cook <keescook@...omium.org>,
"Gustavo A. R. Silva" <gustavo@...eddedor.com>,
YueHaibing <yuehaibing@...wei.com>,
Micah Morton <mortonm@...omium.org>,
Yang Shi <yang.shi@...ux.alibaba.com>,
Jann Horn <jannh@...gle.com>,
Alexey Dobriyan <adobriyan@...il.com>,
Rafael Aquini <aquini@...hat.com>,
Michael Kerrisk <mtk.manpages@...il.com>, yury.norov@...il.com
Subject: Re: [PATCH v2 1/2] kernel/sys: add PR_GET_TASK_SIZE option to prctl(2)
чт, 2 мая 2019 г. в 13:52, Joel Savitz <jsavitz@...hat.com>:
>
> When PR_GET_TASK_SIZE is passed to prctl, the kernel will attempt to
> copy the value of TASK_SIZE to the userspace address in arg2.
>
> Suggested-by: Alexey Dobriyan <adobriyan@...il.com>
> Signed-off-by: Joel Savitz <jsavitz@...hat.com>
> ---
> include/uapi/linux/prctl.h | 3 +++
> kernel/sys.c | 10 ++++++++++
> 2 files changed, 13 insertions(+)
>
> diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
> index 094bb03b9cc2..2335fe0a8db8 100644
> --- a/include/uapi/linux/prctl.h
> +++ b/include/uapi/linux/prctl.h
> @@ -229,4 +229,7 @@ struct prctl_mm_map {
> # define PR_PAC_APDBKEY (1UL << 3)
> # define PR_PAC_APGAKEY (1UL << 4)
>
> +/* Get the process virtual memory size */
> +#define PR_GET_TASK_SIZE 55
> +
> #endif /* _LINUX_PRCTL_H */
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 12df0e5434b8..7ced7dbd035d 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2252,6 +2252,13 @@ static int propagate_has_child_subreaper(struct task_struct *p, void *data)
> return 1;
> }
>
> +static int prctl_get_tasksize(void __user * uaddr)
> +{
> + unsigned long task_size = TASK_SIZE;
> + return copy_to_user(uaddr, &task_size, sizeof(unsigned long))
> + ? -EFAULT : 0;
> +}
> +
Joel, you missed my point from the comment to v1.
This is still broken for compat architectures. On 64 bit machines
compat userspace
has unsigned long as u32, and therefore you corrupt user data.
> int __weak arch_prctl_spec_ctrl_get(struct task_struct *t, unsigned long which)
> {
> return -EINVAL;
> @@ -2486,6 +2493,9 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
> return -EINVAL;
> error = PAC_RESET_KEYS(me, arg2);
> break;
> + case PR_GET_TASK_SIZE:
> + error = prctl_get_tasksize((void *)arg2) ;
> + break;
> default:
> error = -EINVAL;
> break;
> --
> 2.18.1
>
Powered by blists - more mailing lists