lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20241001005322.9e65df06e0f7c4aac19337ca@kernel.org>
Date: Tue, 1 Oct 2024 00:53:22 +0900
From: Masami Hiramatsu (Google) <mhiramat@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Oleg Nesterov <oleg@...hat.com>, Steven Rostedt <rostedt@...dmis.org>,
 Masami Hiramatsu <mhiramat@...nel.org>, linux-kernel@...r.kernel.org
Subject: [GIT PULL] probes: Fixes for v6.12-rc1

Hi Linus,

Probes fixes for v6.12-rc1:

 - uprobes: fix kernel info leak via "[uprobes]" vma
   Fix uprobes not to expose the uninitialized page for trampoline
   buffer to user space, which can leak kernel info.


Please pull the latest probes-fixes-v6.12-rc1 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
probes-fixes-v6.12-rc1

Tag SHA1: ee48a9b9cc6cb804d0a49359b8d85290020b72e2
Head SHA1: 34820304cc2cd1804ee1f8f3504ec77813d29c8e


Oleg Nesterov (1):
      uprobes: fix kernel info leak via "[uprobes]" vma

----
 kernel/events/uprobes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
---------------------------
commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e
Author: Oleg Nesterov <oleg@...hat.com>
Date:   Sun Sep 29 18:20:47 2024 +0200

    uprobes: fix kernel info leak via "[uprobes]" vma
    
    xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
    into userspace. On some architectures (x86) this memory is readable even
    without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
    although this doesn't really matter, debugger can read this memory anyway.
    
    Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/
    
    Reported-by: Will Deacon <will@...nel.org>
    Fixes: d4b3b6384f98 ("uprobes/core: Allocate XOL slots for uprobes use")
    Cc: stable@...r.kernel.org
    Acked-by: Masami Hiramatsu (Google) <mhiramat@...nel.org>
    Signed-off-by: Oleg Nesterov <oleg@...hat.com>
    Signed-off-by: Masami Hiramatsu (Google) <mhiramat@...nel.org>

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 2ec796e2f055..4b52cb2ae6d6 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1545,7 +1545,7 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
 	if (!area->bitmap)
 		goto free_area;
 
-	area->page = alloc_page(GFP_HIGHUSER);
+	area->page = alloc_page(GFP_HIGHUSER | __GFP_ZERO);
 	if (!area->page)
 		goto free_bitmap;
 

-- 
Masami Hiramatsu (Google) <mhiramat@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ