[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJF2gTSqUtU77HvEsQi8+akod4Fn1pEe2REH2nae39dK2VsacA@mail.gmail.com>
Date: Sun, 30 Oct 2022 08:03:33 +0800
From: Guo Ren <guoren@...nel.org>
To: Jisheng Zhang <jszhang@...nel.org>
Cc: Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] riscv: process: fix kernel info leakage
On Sat, Oct 29, 2022 at 7:44 PM Jisheng Zhang <jszhang@...nel.org> wrote:
>
> thread_struct's s[12] may contain random kernel memory content, which
> may be finally leaked to userspace. This is a security hole. Fix it
> by clearing the s[12] array in thread_struct when fork.
>
> As for kthread case, it's better to clear the s[12] array as well.
>
> Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
> Signed-off-by: Jisheng Zhang <jszhang@...nel.org>
> ---
>
> Previously, it's one of the series of "riscv: entry: further clean up
> and VMAP_STACK fix". This is a fix, so I move it out of the series and
> send it separately
>
> arch/riscv/kernel/process.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c
> index ceb9ebab6558..52002d54b163 100644
> --- a/arch/riscv/kernel/process.c
> +++ b/arch/riscv/kernel/process.c
> @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
> unsigned long tls = args->tls;
> struct pt_regs *childregs = task_pt_regs(p);
>
> + memset(&p->thread.s, 0, sizeof(p->thread.s));
Tested-by: Guo Ren <guoren@...nel.org>
> +
> /* p->thread holds context to be restored by __switch_to() */
> if (unlikely(args->fn)) {
> /* Kernel thread */
> --
> 2.37.2
>
--
Best Regards
Guo Ren
Powered by blists - more mailing lists