lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1558941788-969-1-git-send-email-dianzhangchen0@gmail.com>
Date:   Mon, 27 May 2019 15:23:08 +0800
From:   Dianzhang Chen <dianzhangchen0@...il.com>
To:     akpm@...ux-foundation.org
Cc:     gorcunov@...il.com, kristina.martsenko@....com,
        ebiederm@...ssion.com, j.neuschaefer@....net, jannh@...gle.com,
        mortonm@...omium.org, yang.shi@...ux.alibaba.com,
        linux-kernel@...r.kernel.org,
        Dianzhang Chen <dianzhangchen0@...il.com>
Subject: [PATCH] kernel/sys.c: fix possible spectre-v1 in do_prlimit()

The `resource` in do_prlimit() is controlled by userspace via syscall: setrlimit(defined in kernel/sys.c), hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
The relevant code in do_prlimit() is as below:

if (resource >= RLIM_NLIMITS)
        return -EINVAL;
...
rlim = tsk->signal->rlim + resource;    // use resource as index
...
            *old_rlim = *rlim;

Fix this by sanitizing resource before using it to index tsk->signal->rlim.

Signed-off-by: Dianzhang Chen <dianzhangchen0@...il.com>
---
 kernel/sys.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/sys.c b/kernel/sys.c
index bdbfe8d..7eba1ca 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1532,6 +1532,8 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
 
 	if (resource >= RLIM_NLIMITS)
 		return -EINVAL;
+
+	resource = array_index_nospec(resource, RLIM_NLIMITS);
 	if (new_rlim) {
 		if (new_rlim->rlim_cur > new_rlim->rlim_max)
 			return -EINVAL;
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ