diff mbox series

ptrace: fix kernel-infoleak-after-free in copy_siginfo_to_user

Message ID tencent_7ECF840DDF25850DD4923CDDD3DDE1197A07@qq.com
State New
Headers
Series ptrace: fix kernel-infoleak-after-free in copy_siginfo_to_user |

Commit Message

Edward Adam Davis Dec. 31, 2023, 2:41 a.m. UTC 
  To avoid kernel memory leakage into user space, memory should be manually 
allocated instead of using memory from the kernel stack.

Reported-and-tested-by: syzbot+cfc08744435c4cf94a40@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 kernel/ptrace.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index d8b5e13a2229..8bd346b10c6e 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1033,7 +1033,7 @@  int ptrace_request(struct task_struct *child, long request,
 {
 	bool seized = child->ptrace & PT_SEIZED;
 	int ret = -EIO;
-	kernel_siginfo_t siginfo, *si;
+	kernel_siginfo_t siginfo, *si, *psiginfo;
 	void __user *datavp = (void __user *) data;
 	unsigned long __user *datalp = datavp;
 	unsigned long flags;
@@ -1061,9 +1061,13 @@  int ptrace_request(struct task_struct *child, long request,
 		break;
 
 	case PTRACE_GETSIGINFO:
-		ret = ptrace_getsiginfo(child, &siginfo);
+		psiginfo = kvmalloc(sizeof(kernel_siginfo_t), GFP_KERNEL);
+		if (!psiginfo)
+			break;
+		ret = ptrace_getsiginfo(child, psiginfo);
 		if (!ret)
-			ret = copy_siginfo_to_user(datavp, &siginfo);
+			ret = copy_siginfo_to_user(datavp, psiginfo);
+		kvfree(psiginfo);
 		break;
 
 	case PTRACE_SETSIGINFO: