ptrace_get_syscall_info() is potentially copying uninitialized stack
memory to userspace, since the compiler may leave a 3-byte hole near the
beginning of `info`. Fix it by adding a padding field to `struct
ptrace_syscall_info`.
Cc: sta...@vger.kernel.org
Fixes: 201766a20e30 ("ptrace: add PTRACE_GET_SYSCALL_INFO request")
Suggested-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by: Peilin Ye <yepeilin...@gmail.com>
---
Change in v2:
- Add a padding field to `struct ptrace_syscall_info`, instead of
doing memset() on `info`. (Suggested by Dmitry V. Levin
<l...@altlinux.org>)
Reference: https://lwn.net/Articles/417989/
$ # before:
$ pahole -C "ptrace_syscall_info" kernel/ptrace.o
struct ptrace_syscall_info {
__u8 op; /* 0 1 */
/* XXX 3 bytes hole, try to pack */
__u32 arch __attribute__((__aligned__(4))); /*
4 4 */
__u64 instruction_pointer; /* 8 8 */
__u64 stack_pointer; /* 16 8 */
union {
struct {
__u64 nr; /* 24 8 */
__u64 args[6]; /* 32 48 */
} entry; /* 24 56 */
struct {
__s64 rval; /* 24 8 */
__u8 is_error; /* 32 1 */
} exit; /* 24 16 */
struct {
__u64 nr; /* 24 8 */
__u64 args[6]; /* 32 48 */
/* --- cacheline 1 boundary (64 bytes) was 16 bytes ago
--- */
__u32 ret_data; /* 80 4 */
} seccomp; /* 24 64 */
}; /* 24 64 */
/* size: 88, cachelines: 2, members: 5 */
/* sum members: 85, holes: 1, sum holes: 3 */
/* forced alignments: 1, forced holes: 1, sum forced holes: 3 */
/* last cacheline: 24 bytes */
} __attribute__((__aligned__(8)));
$
$ # after:
$ pahole -C "ptrace_syscall_info" kernel/ptrace.o
struct ptrace_syscall_info {
__u8 op; /* 0 1 */
__u8 pad[3]; /* 1 3 */
__u32 arch __attribute__((__aligned__(4))); /*
4 4 */
__u64 instruction_pointer; /* 8 8 */
__u64 stack_pointer; /* 16 8 */
union {
struct {
__u64 nr; /* 24 8 */
__u64 args[6]; /* 32 48 */
} entry; /* 24 56 */
struct {
__s64 rval; /* 24 8 */
__u8 is_error; /* 32 1 */
} exit; /* 24 16 */
struct {
__u64 nr; /* 24 8 */
__u64 args[6]; /* 32 48 */
/* --- cacheline 1 boundary (64 bytes) was 16 bytes ago
--- */
__u32 ret_data; /* 80 4 */
} seccomp; /* 24 64 */
}; /* 24 64 */
/* size: 88, cachelines: 2, members: 6 */
/* forced alignments: 1 */
/* last cacheline: 24 bytes */
} __attribute__((__aligned__(8)));
$ _
include/uapi/linux/ptrace.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h
index a71b6e3b03eb..a518ba514bac 100644
--- a/include/uapi/linux/ptrace.h
+++ b/include/uapi/linux/ptrace.h
@@ -81,6 +81,7 @@ struct seccomp_metadata {
struct ptrace_syscall_info {
__u8 op; /* PTRACE_SYSCALL_INFO_* */
+ __u8 pad[3];
__u32 arch __attribute__((__aligned__(sizeof(__u32))));
__u64 instruction_pointer;
__u64 stack_pointer;
--
2.25.1
