| Message ID | 20221029113450.4027-1-jszhang@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1309049wru;
Sat, 29 Oct 2022 04:52:40 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM5xWjXncfJCr6YyW3nNwy+d4YiydTaAK2DYgxcY7xEcMA7rZbsLNTNjGkl11u9tqkuaJbi/
X-Received: by 2002:a62:1e81:0:b0:563:8689:d295 with SMTP id
e123-20020a621e81000000b005638689d295mr4155216pfe.6.1667044359937;
Sat, 29 Oct 2022 04:52:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667044359; cv=none;
d=google.com; s=arc-20160816;
b=dKVGwug+nT9b6eqztyoQjsMIeapOwiRROKzZXQLi9KCXpuwjUrDrxB7wFo6KbzSDgb
9BfMF/27Op7CNPsmpBrDpxiu+3am95B1yGZkCeHVpP/Q89s9GCtoCV3Ws0AIoKxHUmiQ
w1KXZhYJSB70lSMJRWzCQNR1KQvCVw9C7ziWd1xfJhV+P8bDbrwBpjfUloE5S5L52fcc
n6xlTh3d5RA81HpwyIDnhNqMnfNLtbECdT58EUb2E2yuq79jfOY/aHd7SSq7x3y2I7YS
i16rM4Xly/58oVId7U9b7BvB4rRgGgP6n2stv28I2id8pud+3l2lmrpx07SNQOjsuazJ
uqwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=yE8ce/R92CCoEujuXQ/3LVrlytcgzdtb1gwjjAnrsck=;
b=I4lpe6XuJUWY20u7ccjZJq3fpKtEV6LdddIyqc2CigbThVzlIL4v0NR4klPMKk6OUR
p8X8A2iCr294czvnSQVuNj8CLWgYln1e5rKKp76ipkDBOjMeP1OpspdaPlekR/2/ITWf
FqeUprjJDQcKH/aWUaw5d9jrmHDSviidfqSTz0Dk3FKuJMV1b7M01wUDquAPO9Q7w97L
HmLTX1EaR1X5Vvz9iIxliylPGsKxmuUXG/rqobGg/hhR/sE2UEiN61H5al3vqWNxK4Jy
wMgBoHDhGQH+Dos1M57cR8OkpaG5ILe56+gD31GMOiEFX/vXgiX1EiuCVF3Lo3DqTtT3
zpyw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=lJQCVzoS;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
l71-20020a63914a000000b0046ece301e82si1694012pge.756.2022.10.29.04.52.27;
Sat, 29 Oct 2022 04:52:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=lJQCVzoS;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229636AbiJ2Loq (ORCPT <rfc822;pusanteemu@gmail.com> + 99 others);
Sat, 29 Oct 2022 07:44:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33116 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229542AbiJ2Lop (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 29 Oct 2022 07:44:45 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
[IPv6:2604:1380:4601:e00::1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7DE3140A4
for <linux-kernel@vger.kernel.org>;
Sat, 29 Oct 2022 04:44:33 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ams.source.kernel.org (Postfix) with ESMTPS id 697CDB80B89
for <linux-kernel@vger.kernel.org>;
Sat, 29 Oct 2022 11:44:32 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 964CFC433C1;
Sat, 29 Oct 2022 11:44:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1667043871;
bh=J28JdYpCrFXzwuwKWXs/vDRdRU6kc34gc/wpq/7Yrq8=;
h=From:To:Cc:Subject:Date:From;
b=lJQCVzoSRltfxdwtmLMUMk60jyAIBldT+rATXalj1lD5A5fdYS8ez64sIMxWGpJdX
5HV08QwiLSVQVzjLC55XS3hzSrmfzWOIhpoYVQxeyPHn1ZDllNA7f6oP3hF8AGzmuy
CCAmBvlilfgvUeUZsPYNb1Yk/RqYWqRLcDSV4Cj5n2DU6VIzZp05LYmO2Gw/m+6GPk
W5vqpciI8BDDspbmGhZDRmjrlqd6ELaWZcV8t6t6z1E7HG6C07tmfmfYAwhLK6GgUH
mZlOX30ktd2RmODr8Px4kWDSGXuO8G8O8yol2yAg1ZOyYtJhWFAlskOIL5I2qzCCSK
ISn6ycpXNsiaQ==
From: Jisheng Zhang <jszhang@kernel.org>
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>, Guo Ren <guoren@kernel.org>
Cc: linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] riscv: process: fix kernel info leakage
Date: Sat, 29 Oct 2022 19:34:50 +0800
Message-Id: <20221029113450.4027-1-jszhang@kernel.org>
X-Mailer: git-send-email 2.37.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748022706998477915?=
X-GMAIL-MSGID: =?utf-8?q?1748022706998477915?=
|
| Series |
riscv: process: fix kernel info leakage
|
|
Commit Message
Jisheng Zhang
Oct. 29, 2022, 11:34 a.m. UTC
thread_struct's s[12] may contain random kernel memory content, which
may be finally leaked to userspace. This is a security hole. Fix it
by clearing the s[12] array in thread_struct when fork.
As for kthread case, it's better to clear the s[12] array as well.
Fixes: 7db91e57a0ac ("RISC-V: Task implementation")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
---
Previously, it's one of the series of "riscv: entry: further clean up
and VMAP_STACK fix". This is a fix, so I move it out of the series and
send it separately
arch/riscv/kernel/process.c | 2 ++
1 file changed, 2 insertions(+)
Comments
On Sat, Oct 29, 2022 at 7:44 PM Jisheng Zhang <jszhang@kernel.org> wrote: > > thread_struct's s[12] may contain random kernel memory content, which > may be finally leaked to userspace. This is a security hole. Fix it > by clearing the s[12] array in thread_struct when fork. > > As for kthread case, it's better to clear the s[12] array as well. > > Fixes: 7db91e57a0ac ("RISC-V: Task implementation") > Signed-off-by: Jisheng Zhang <jszhang@kernel.org> > --- > > Previously, it's one of the series of "riscv: entry: further clean up > and VMAP_STACK fix". This is a fix, so I move it out of the series and > send it separately > > arch/riscv/kernel/process.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c > index ceb9ebab6558..52002d54b163 100644 > --- a/arch/riscv/kernel/process.c > +++ b/arch/riscv/kernel/process.c > @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) > unsigned long tls = args->tls; > struct pt_regs *childregs = task_pt_regs(p); > > + memset(&p->thread.s, 0, sizeof(p->thread.s)); Tested-by: Guo Ren <guoren@kernel.org> > + > /* p->thread holds context to be restored by __switch_to() */ > if (unlikely(args->fn)) { > /* Kernel thread */ > -- > 2.37.2 >
On Sat, Oct 29, 2022 at 07:34:50PM +0800, Jisheng Zhang wrote: > thread_struct's s[12] may contain random kernel memory content, which > may be finally leaked to userspace. This is a security hole. Fix it > by clearing the s[12] array in thread_struct when fork. > > As for kthread case, it's better to clear the s[12] array as well. > > Fixes: 7db91e57a0ac ("RISC-V: Task implementation") > Signed-off-by: Jisheng Zhang <jszhang@kernel.org> > --- > > Previously, it's one of the series of "riscv: entry: further clean up > and VMAP_STACK fix". This is a fix, so I move it out of the series and > send it separately Should this not be carrying a R-b from Guo Ren from that series? https://lore.kernel.org/linux-riscv/CAJF2gTSdVyAaM12T+7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/ > > arch/riscv/kernel/process.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c > index ceb9ebab6558..52002d54b163 100644 > --- a/arch/riscv/kernel/process.c > +++ b/arch/riscv/kernel/process.c > @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) > unsigned long tls = args->tls; > struct pt_regs *childregs = task_pt_regs(p); > > + memset(&p->thread.s, 0, sizeof(p->thread.s)); > + > /* p->thread holds context to be restored by __switch_to() */ > if (unlikely(args->fn)) { > /* Kernel thread */ > -- > 2.37.2 >
On Sat, 29 Oct 2022 19:34:50 +0800, Jisheng Zhang wrote: > thread_struct's s[12] may contain random kernel memory content, which > may be finally leaked to userspace. This is a security hole. Fix it > by clearing the s[12] array in thread_struct when fork. > > As for kthread case, it's better to clear the s[12] array as well. > > > [...] Applied, thanks! [1/1] riscv: process: fix kernel info leakage https://git.kernel.org/palmer/c/6510c78490c4 Best regards,
Hello: This patch was applied to riscv/linux.git (fixes) by Palmer Dabbelt <palmer@rivosinc.com>: On Sat, 29 Oct 2022 19:34:50 +0800 you wrote: > thread_struct's s[12] may contain random kernel memory content, which > may be finally leaked to userspace. This is a security hole. Fix it > by clearing the s[12] array in thread_struct when fork. > > As for kthread case, it's better to clear the s[12] array as well. > > Fixes: 7db91e57a0ac ("RISC-V: Task implementation") > Signed-off-by: Jisheng Zhang <jszhang@kernel.org> > > [...] Here is the summary with links: - riscv: process: fix kernel info leakage https://git.kernel.org/riscv/c/6510c78490c4 You are awesome, thank you!
diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index ceb9ebab6558..52002d54b163 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) unsigned long tls = args->tls; struct pt_regs *childregs = task_pt_regs(p); + memset(&p->thread.s, 0, sizeof(p->thread.s)); + /* p->thread holds context to be restored by __switch_to() */ if (unlikely(args->fn)) { /* Kernel thread */