mirror of
https://github.com/torvalds/linux.git
synced 2024-11-24 13:11:40 +00:00
4f134b89a2
Lilith >_> and Claudio Bozzato of Cisco Talos security team reported
that collect_syscall() improperly casts the syscall registers to 64-bit
values leaking the uninitialized last 24 bytes on 32-bit platforms, that
are visible in /proc/self/syscall.
The cause is that info->data.args are u64 while syscall_get_arguments()
uses longs, as hinted by the bogus pointer cast in the function.
Let's just proceed like the other call places, by retrieving the
registers into an array of longs before assigning them to the caller's
array. This was successfully tested on x86_64, i386 and ppc32.
Reference: CVE-2020-28588, TALOS-2020-1211
Fixes: 631b7abacd
("ptrace: Remove maxargs from task_current_syscall()")
Cc: Greg KH <greg@kroah.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32)
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
89 lines
2.7 KiB
C
89 lines
2.7 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <linux/ptrace.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/sched/task_stack.h>
|
|
#include <linux/export.h>
|
|
#include <asm/syscall.h>
|
|
|
|
static int collect_syscall(struct task_struct *target, struct syscall_info *info)
|
|
{
|
|
unsigned long args[6] = { };
|
|
struct pt_regs *regs;
|
|
|
|
if (!try_get_task_stack(target)) {
|
|
/* Task has no stack, so the task isn't in a syscall. */
|
|
memset(info, 0, sizeof(*info));
|
|
info->data.nr = -1;
|
|
return 0;
|
|
}
|
|
|
|
regs = task_pt_regs(target);
|
|
if (unlikely(!regs)) {
|
|
put_task_stack(target);
|
|
return -EAGAIN;
|
|
}
|
|
|
|
info->sp = user_stack_pointer(regs);
|
|
info->data.instruction_pointer = instruction_pointer(regs);
|
|
|
|
info->data.nr = syscall_get_nr(target, regs);
|
|
if (info->data.nr != -1L)
|
|
syscall_get_arguments(target, regs, args);
|
|
|
|
info->data.args[0] = args[0];
|
|
info->data.args[1] = args[1];
|
|
info->data.args[2] = args[2];
|
|
info->data.args[3] = args[3];
|
|
info->data.args[4] = args[4];
|
|
info->data.args[5] = args[5];
|
|
|
|
put_task_stack(target);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* task_current_syscall - Discover what a blocked task is doing.
|
|
* @target: thread to examine
|
|
* @info: structure with the following fields:
|
|
* .sp - filled with user stack pointer
|
|
* .data.nr - filled with system call number or -1
|
|
* .data.args - filled with @maxargs system call arguments
|
|
* .data.instruction_pointer - filled with user PC
|
|
*
|
|
* If @target is blocked in a system call, returns zero with @info.data.nr
|
|
* set to the call's number and @info.data.args filled in with its
|
|
* arguments. Registers not used for system call arguments may not be available
|
|
* and it is not kosher to use &struct user_regset calls while the system
|
|
* call is still in progress. Note we may get this result if @target
|
|
* has finished its system call but not yet returned to user mode, such
|
|
* as when it's stopped for signal handling or syscall exit tracing.
|
|
*
|
|
* If @target is blocked in the kernel during a fault or exception,
|
|
* returns zero with *@info.data.nr set to -1 and does not fill in
|
|
* @info.data.args. If so, it's now safe to examine @target using
|
|
* &struct user_regset get() calls as long as we're sure @target won't return
|
|
* to user mode.
|
|
*
|
|
* Returns -%EAGAIN if @target does not remain blocked.
|
|
*/
|
|
int task_current_syscall(struct task_struct *target, struct syscall_info *info)
|
|
{
|
|
long state;
|
|
unsigned long ncsw;
|
|
|
|
if (target == current)
|
|
return collect_syscall(target, info);
|
|
|
|
state = target->state;
|
|
if (unlikely(!state))
|
|
return -EAGAIN;
|
|
|
|
ncsw = wait_task_inactive(target, state);
|
|
if (unlikely(!ncsw) ||
|
|
unlikely(collect_syscall(target, info)) ||
|
|
unlikely(wait_task_inactive(target, state) != ncsw))
|
|
return -EAGAIN;
|
|
|
|
return 0;
|
|
}
|