| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Nov 2019 16:10:14 +0100
From: Christian Brauner <christian.brauner@...ntu.com>
To: Szabolcs Nagy <Szabolcs.Nagy@....com>,
Florian Weimer <fweimer@...hat.com>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
GNU C Library <libc-alpha@...rceware.org>, nd <nd@....com>,
Arnd Bergmann <arnd@...db.de>,
Kees Cook <keescook@...omium.org>,
Jann Horn <jannh@...gle.com>,
David Howells <dhowells@...hat.com>,
Ingo Molnar <mingo@...hat.com>,
Oleg Nesterov <oleg@...hat.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Peter Zijlstra <peterz@...radead.org>,
"linux-api@...r.kernel.org" <linux-api@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH] clone3: validate stack arguments
On Fri, Nov 01, 2019 at 02:57:10PM +0000, Szabolcs Nagy wrote:
> On 31/10/2019 11:36, Christian Brauner wrote:
> > diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
> > index 99335e1f4a27..25b4fa00bad1 100644
> > --- a/include/uapi/linux/sched.h
> > +++ b/include/uapi/linux/sched.h
> > @@ -51,6 +51,10 @@
> > * sent when the child exits.
> > * @stack: Specify the location of the stack for the
> > * child process.
> > + * Note, @stack is expected to point to the
> > + * lowest address. The stack direction will be
> > + * determined by the kernel and set up
> > + * appropriately based on @stack_size.
> > * @stack_size: The size of the stack for the child process.
> > * @tls: If CLONE_SETTLS is set, the tls descriptor
> > * is set to tls.
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index bcdf53125210..55af6931c6ec 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -2561,7 +2561,35 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
> > return 0;
> > }
> >
> > -static bool clone3_args_valid(const struct kernel_clone_args *kargs)
> > +/**
> > + * clone3_stack_valid - check and prepare stack
> > + * @kargs: kernel clone args
> > + *
> > + * Verify that the stack arguments userspace gave us are sane.
> > + * In addition, set the stack direction for userspace since it's easy for us to
> > + * determine.
> > + */
> > +static inline bool clone3_stack_valid(struct kernel_clone_args *kargs)
> > +{
> > + if (kargs->stack == 0) {
> > + if (kargs->stack_size > 0)
> > + return false;
> > + } else {
> > + if (kargs->stack_size == 0)
> > + return false;
> > +
> > + if (!access_ok((void __user *)kargs->stack, kargs->stack_size))
> > + return false;
> > +
> > +#if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_IA64)
> > + kargs->stack += kargs->stack_size;
> > +#endif
> > + }
>
> from the description it is not clear whose
> responsibility it is to guarantee the alignment
> of sp on entry.
Userspace.
>
> i think 0 stack size may work if signals are
> blocked and then prohibiting it might not be
> the right thing.
Note that stack size 0 is allowed:
struct clone_args args = {
.exit_signal = SIGCHLD,
};
clone3(&args, sizeof(args));
will just work fine.
>
> it's not clear how libc should deal with v5.3
> kernels which don't have the stack+=stack_size
> logic.
stable is already Cced and the change will be backported to v5.3.
Nearly all distros track pull in stable updates.
Florian, thoughts on this?
Christian
Powered by blists - more mailing lists