From patchwork Wed Jan 11 18:39:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 42140 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp3480114wrt; Wed, 11 Jan 2023 10:44:57 -0800 (PST) X-Google-Smtp-Source: AMrXdXvLRI2DbQVUBU4VODH61PiVbEg16fwDJPzsHKFLc2ML3Ms5z1rmSoHtRTuQSNB2kg3aFJCs X-Received: by 2002:a17:907:a802:b0:84d:430a:5e5c with SMTP id vo2-20020a170907a80200b0084d430a5e5cmr14268032ejc.32.1673462697113; Wed, 11 Jan 2023 10:44:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673462697; cv=none; d=google.com; s=arc-20160816; b=q5fGRe74J1A6ys8YjvSh7w44XCAaF+7JNEpgxUBliNJvL1Ip7vfldxr3oUQOShU6Fp B0p0IiYMKrTibJ3c7eLKjeydMGaHA6/FYgwnpuMhAI0Y5F+PvkrpY4/oxkFfYjvw1E6C NyUtGVHoKrhyfJ6Ktwgl9cCINtiFGfByJKT7yQihfJ85AvFs2hV10IZSkCc3GkEMo5bJ 2dcsYZ9PBzESKoTyjw7AAZeLGErgLEJNUtiUcmvSXjHt37fAkufQGv8sl+NBGKkG+wIn W1LYZdzLlNSAepEUeJjFrMvWVBvDQGdoU6w0z+FrR34m8KTYNUW7wk1UA++Dqxe5HMHO 0ZSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:references:in-reply-to:cc:subject :to:reply-to:sender:from:dkim-signature:dkim-signature:date; bh=3G9j0KCQrJ9qzbie1aavXreNhv7IA4pk96ICTRrRB6Y=; b=DuCAPj4feJ/XVCiDM4zjcF930pYn/xwwTBQnq4lC0+s8nMYMhiPo5Vtastwt3r1rEp qjYTPv9Bcx4jdLtmWJ8/0IkZZomLnOvsHglPiWbGKRuLKRqtE9V6b/zy9FB6Hn/id/88 vLCbUGmhcbNNkj4uys9r/+8S6uorDJBKKUFgAR44EMYFd+qFSfipNsHGaJJEPOS1RmUX KcTzyEYqY71eg8f4rM7Cg+m0Z6UmY3Q9YiK/pw7VfFReLDYFvFmOtv7ZvPF6KIU8rsFw ekv7zQWbxQRduYqjo9yiQys6k+zNRWiluEYYOaYkjgxX91e3nGOF5w8F+KZ0biQmlvfy DKXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=dROs6o1q; dkim=neutral (no key) header.i=@linutronix.de header.b=8ebpNRgt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gs20-20020a1709072d1400b0085a483a6fd3si4385477ejc.209.2023.01.11.10.44.32; Wed, 11 Jan 2023 10:44:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=dROs6o1q; dkim=neutral (no key) header.i=@linutronix.de header.b=8ebpNRgt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234734AbjAKSjb (ORCPT + 99 others); Wed, 11 Jan 2023 13:39:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42058 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229578AbjAKSj2 (ORCPT ); Wed, 11 Jan 2023 13:39:28 -0500 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8854114007; Wed, 11 Jan 2023 10:39:27 -0800 (PST) Date: Wed, 11 Jan 2023 18:39:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1673462366; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3G9j0KCQrJ9qzbie1aavXreNhv7IA4pk96ICTRrRB6Y=; b=dROs6o1qFLgwsrL36waWfOxi2wrk6sDEUvL0Oo7Ord/HYVT65iy0ilO2h+ZytU1P4W+HjN 0JxTwpp/gLE0qfNAvr8JPZ8K6YiNVpZQzwDR/F3tvWFTiCGjyADC/ju408DtKwXNj6kSTy fRBD+3ZQoWwNbALIpG4L1YQSHVLVHE8BgeszY8KvmF2lDEcAF/dannW3jNhK6gbsOt/Fd+ IiyyrI0idZHY0lfcRSuhQAnpmZe25sY7FnMgdzAFOxbC3fazPN75TU+fN3rdn7uOEU0Bsp LQQS9ZoxjhhzKFXFLqMOIVOoxZRu619QBWTwjZCdVIrNwE21HMw56za7OYpiQQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1673462366; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3G9j0KCQrJ9qzbie1aavXreNhv7IA4pk96ICTRrRB6Y=; b=8ebpNRgtn08mvIWs2dngzDcz3CAgO4kf/2irMRv3q4/wWcc5ujPnegniJt9yPjzbmqsak6 g90OBWy5phiBZFAg== From: "tip-bot2 for Jann Horn" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: timers/core] timers: Prevent union confusion from unexpected restart_syscall() Cc: Jann Horn , Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20230105134403.754986-1-jannh@google.com> References: <20230105134403.754986-1-jannh@google.com> MIME-Version: 1.0 Message-ID: <167346236586.4906.18034926965503097572.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1754752821421898282?= X-GMAIL-MSGID: =?utf-8?q?1754752821421898282?= The following commit has been merged into the timers/core branch of tip: Commit-ID: 9f76d59173d9d146e96c66886b671c1915a5c5e5 Gitweb: https://git.kernel.org/tip/9f76d59173d9d146e96c66886b671c1915a5c5e5 Author: Jann Horn AuthorDate: Thu, 05 Jan 2023 14:44:03 +01:00 Committer: Thomas Gleixner CommitterDate: Wed, 11 Jan 2023 19:31:47 +01:00 timers: Prevent union confusion from unexpected restart_syscall() The nanosleep syscalls use the restart_block mechanism, with a quirk: The `type` and `rmtp`/`compat_rmtp` fields are set up unconditionally on syscall entry, while the rest of the restart_block is only set up in the unlikely case that the syscall is actually interrupted by a signal (or pseudo-signal) that doesn't have a signal handler. If the restart_block was set up by a previous syscall (futex(..., FUTEX_WAIT, ...) or poll()) and hasn't been invalidated somehow since then, this will clobber some of the union fields used by futex_wait_restart() and do_restart_poll(). If userspace afterwards wrongly calls the restart_syscall syscall, futex_wait_restart()/do_restart_poll() will read struct fields that have been clobbered. This doesn't actually lead to anything particularly interesting because none of the union fields contain trusted kernel data, and futex(..., FUTEX_WAIT, ...) and poll() aren't syscalls where it makes much sense to apply seccomp filters to their arguments. So the current consequences are just of the "if userspace does bad stuff, it can damage itself, and that's not a problem" flavor. But still, it seems like a hazard for future developers, so invalidate the restart_block when partly setting it up in the nanosleep syscalls. Signed-off-by: Jann Horn Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20230105134403.754986-1-jannh@google.com --- kernel/time/hrtimer.c | 2 ++ kernel/time/posix-stubs.c | 2 ++ kernel/time/posix-timers.c | 2 ++ 3 files changed, 6 insertions(+) diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 3ae661a..e4f0e3b 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -2126,6 +2126,7 @@ SYSCALL_DEFINE2(nanosleep, struct __kernel_timespec __user *, rqtp, if (!timespec64_valid(&tu)) return -EINVAL; + current->restart_block.fn = do_no_restart_syscall; current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; current->restart_block.nanosleep.rmtp = rmtp; return hrtimer_nanosleep(timespec64_to_ktime(tu), HRTIMER_MODE_REL, @@ -2147,6 +2148,7 @@ SYSCALL_DEFINE2(nanosleep_time32, struct old_timespec32 __user *, rqtp, if (!timespec64_valid(&tu)) return -EINVAL; + current->restart_block.fn = do_no_restart_syscall; current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; current->restart_block.nanosleep.compat_rmtp = rmtp; return hrtimer_nanosleep(timespec64_to_ktime(tu), HRTIMER_MODE_REL, diff --git a/kernel/time/posix-stubs.c b/kernel/time/posix-stubs.c index 90ea5f3..828aeec 100644 --- a/kernel/time/posix-stubs.c +++ b/kernel/time/posix-stubs.c @@ -147,6 +147,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, return -EINVAL; if (flags & TIMER_ABSTIME) rmtp = NULL; + current->restart_block.fn = do_no_restart_syscall; current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; current->restart_block.nanosleep.rmtp = rmtp; texp = timespec64_to_ktime(t); @@ -240,6 +241,7 @@ SYSCALL_DEFINE4(clock_nanosleep_time32, clockid_t, which_clock, int, flags, return -EINVAL; if (flags & TIMER_ABSTIME) rmtp = NULL; + current->restart_block.fn = do_no_restart_syscall; current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; current->restart_block.nanosleep.compat_rmtp = rmtp; texp = timespec64_to_ktime(t); diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c index 5dead89..0c8a87a 100644 --- a/kernel/time/posix-timers.c +++ b/kernel/time/posix-timers.c @@ -1270,6 +1270,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, return -EINVAL; if (flags & TIMER_ABSTIME) rmtp = NULL; + current->restart_block.fn = do_no_restart_syscall; current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; current->restart_block.nanosleep.rmtp = rmtp; @@ -1297,6 +1298,7 @@ SYSCALL_DEFINE4(clock_nanosleep_time32, clockid_t, which_clock, int, flags, return -EINVAL; if (flags & TIMER_ABSTIME) rmtp = NULL; + current->restart_block.fn = do_no_restart_syscall; current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; current->restart_block.nanosleep.compat_rmtp = rmtp;