| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 1 Aug 2020 14:06:46 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: Peilin Ye <yepeilin.cs@...il.com>
Cc: Oleg Nesterov <oleg@...hat.com>,
Elvira Khabirova <lineprinter@...linux.org>,
Eugene Syromyatnikov <evgsyr@...il.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel-mentees@...ts.linuxfoundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [Linux-kernel-mentees] [PATCH v2] ptrace: Prevent
kernel-infoleak in ptrace_get_syscall_info()
On Fri, Jul 31, 2020 at 10:08:41PM -0400, Peilin Ye wrote:
> ptrace_get_syscall_info() is potentially copying uninitialized stack
> memory to userspace, since the compiler may leave a 3-byte hole near the
> beginning of `info`. Fix it by adding a padding field to `struct
> ptrace_syscall_info`.
>
> Cc: stable@...r.kernel.org
> Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request")
> Suggested-by: Dan Carpenter <dan.carpenter@...cle.com>
> Signed-off-by: Peilin Ye <yepeilin.cs@...il.com>
> ---
> Change in v2:
> - Add a padding field to `struct ptrace_syscall_info`, instead of
> doing memset() on `info`. (Suggested by Dmitry V. Levin
> <ldv@...linux.org>)
>
> Reference: https://lwn.net/Articles/417989/
>
> $ # before:
> $ pahole -C "ptrace_syscall_info" kernel/ptrace.o
> struct ptrace_syscall_info {
> __u8 op; /* 0 1 */
>
> /* XXX 3 bytes hole, try to pack */
>
> __u32 arch __attribute__((__aligned__(4))); /* 4 4 */
> __u64 instruction_pointer; /* 8 8 */
> __u64 stack_pointer; /* 16 8 */
> union {
> struct {
> __u64 nr; /* 24 8 */
> __u64 args[6]; /* 32 48 */
> } entry; /* 24 56 */
> struct {
> __s64 rval; /* 24 8 */
> __u8 is_error; /* 32 1 */
> } exit; /* 24 16 */
> struct {
> __u64 nr; /* 24 8 */
> __u64 args[6]; /* 32 48 */
> /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */
> __u32 ret_data; /* 80 4 */
> } seccomp; /* 24 64 */
> }; /* 24 64 */
>
> /* size: 88, cachelines: 2, members: 5 */
> /* sum members: 85, holes: 1, sum holes: 3 */
> /* forced alignments: 1, forced holes: 1, sum forced holes: 3 */
> /* last cacheline: 24 bytes */
> } __attribute__((__aligned__(8)));
> $
> $ # after:
> $ pahole -C "ptrace_syscall_info" kernel/ptrace.o
> struct ptrace_syscall_info {
> __u8 op; /* 0 1 */
> __u8 pad[3]; /* 1 3 */
> __u32 arch __attribute__((__aligned__(4))); /* 4 4 */
> __u64 instruction_pointer; /* 8 8 */
> __u64 stack_pointer; /* 16 8 */
> union {
> struct {
> __u64 nr; /* 24 8 */
> __u64 args[6]; /* 32 48 */
> } entry; /* 24 56 */
> struct {
> __s64 rval; /* 24 8 */
> __u8 is_error; /* 32 1 */
> } exit; /* 24 16 */
> struct {
> __u64 nr; /* 24 8 */
> __u64 args[6]; /* 32 48 */
> /* --- cacheline 1 boundary (64 bytes) was 16 bytes ago --- */
> __u32 ret_data; /* 80 4 */
> } seccomp; /* 24 64 */
> }; /* 24 64 */
>
> /* size: 88, cachelines: 2, members: 6 */
> /* forced alignments: 1 */
> /* last cacheline: 24 bytes */
> } __attribute__((__aligned__(8)));
> $ _
>
> include/uapi/linux/ptrace.h | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
> index a71b6e3b03eb..a518ba514bac 100644
> --- a/include/uapi/linux/ptrace.h
> +++ b/include/uapi/linux/ptrace.h
> @@ -81,6 +81,7 @@ struct seccomp_metadata {
>
> struct ptrace_syscall_info {
> __u8 op; /* PTRACE_SYSCALL_INFO_* */
> + __u8 pad[3];
> __u32 arch __attribute__((__aligned__(sizeof(__u32))));
> __u64 instruction_pointer;
> __u64 stack_pointer;
Funnily enough, but in first editions of PTRACE_GET_SYSCALL_INFO
patchset [1] this was looking very similar:
+struct ptrace_syscall_info {
+ __u8 op; /* PTRACE_SYSCALL_INFO_* */
+ __u8 __pad0[3];
+ __u32 arch;
But later we decided [2][3] to replace the pad with a hole.
Note that the sole purpose of the __aligned__ attribute on the field that
follows the hole is to guarantee that the hole has the same size across
architectures. As this hole is being replaced back with a pad, that
__aligned__ attribute is no longer needed and can be omitted along with
adding the pad.
[1] https://lore.kernel.org/linux-api/20181125022150.46258a20@akathisia/
[2] https://lore.kernel.org/linux-api/20181211162305.GA480@altlinux.org/
[3] https://lore.kernel.org/linux-api/20181213171833.GA5240@altlinux.org/
--
ldv
Powered by blists - more mailing lists