From patchwork Sun Mar 22 04:39:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Morton X-Patchwork-Id: 228910 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 26C6FC4332E for ; Sun, 22 Mar 2020 04:49:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D8369206F9 for ; Sun, 22 Mar 2020 04:49:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584852556; bh=+XT11jeDv1p40IvxgewUHNGU1dbfEDAW2ShYPS7T1NM=; h=Date:From:To:Subject:In-Reply-To:List-ID:From; b=aQ/zBPHCLEGML0szL2DE7DC7ScYDDgXuW31aJpusoRE6SMyYDE/uwQ3GaCOvASw/H b9HD69M+dc45lcRag0UOlgHZwNKKrrP018JJ5D27XTdneG82Q7ZU0zgP2PZuXZEMao WMAO/HNTzII75FX/Dy/GnyCeEg0WCCXRVQTwQyI8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725825AbgCVEtP (ORCPT ); Sun, 22 Mar 2020 00:49:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:34496 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725765AbgCVEtO (ORCPT ); Sun, 22 Mar 2020 00:49:14 -0400 Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9F46206F9; Sun, 22 Mar 2020 04:39:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584851984; bh=+XT11jeDv1p40IvxgewUHNGU1dbfEDAW2ShYPS7T1NM=; h=Date:From:To:Subject:In-Reply-To:From; b=1hAISbPPVyKb42pUBTWTbyH7exhT5RkABtL0Qe/1vrBEn8N9BmuHZWSeKKCRtAeoR 91IkRZXSC4VR/h5M4Aj4reOVhh9kr/+WPc5f7jofxtEtkNgsfW2DadNC6loz8rZwWL aqfUUXFM7E5CbBk43WSD8nvBPTab3vgLrx9MipCY= Date: Sat, 21 Mar 2020 21:39:43 -0700 From: Andrew Morton To: arnd@arndb.de, ebiggers@google.com, glider@google.com, gregkh@linuxfoundation.org, keescook@chromium.org, mm-commits@vger.kernel.org, rafael@kernel.org, stable@vger.kernel.org, viro@zeniv.linux.org.uk Subject: + libfs-fix-infoleak-in-simple_attr_read.patch added to -mm tree Message-ID: <20200322043943.GCnF6HIYE%akpm@linux-foundation.org> In-Reply-To: <20200321181954.c0564dfd5514cd742b534884@linux-foundation.org> User-Agent: s-nail v14.8.16 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch titled Subject: libfs: fix infoleak in simple_attr_read() has been added to the -mm tree. Its filename is libfs-fix-infoleak-in-simple_attr_read.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/libfs-fix-infoleak-in-simple_attr_read.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/libfs-fix-infoleak-in-simple_attr_read.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Eric Biggers Subject: libfs: fix infoleak in simple_attr_read() Reading from a debugfs file at a nonzero position, without first reading at position 0, leaks uninitialized memory to userspace. It's a bit tricky to do this, since lseek() and pread() aren't allowed on these files, and write() doesn't update the position on them. But writing to them with splice() *does* update the position: #define _GNU_SOURCE 1 #include #include #include int main() { int pipes[2], fd, n, i; char buf[32]; pipe(pipes); write(pipes[1], "0", 1); fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); splice(pipes[0], NULL, fd, NULL, 1, 0); n = read(fd, buf, sizeof(buf)); for (i = 0; i < n; i++) printf("%02x", buf[i]); printf(" "); } Output: 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 Fix the infoleak by making simple_attr_read() always fill simple_attr::get_buf if it hasn't been filled yet. Link: http://lkml.kernel.org/r/20200308023849.988264-1-ebiggers@kernel.org Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") Signed-off-by: Eric Biggers Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com Reported-by: Alexander Potapenko Cc: Al Viro Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Cc: Kees Cook Cc: Signed-off-by: Andrew Morton --- fs/libfs.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/fs/libfs.c~libfs-fix-infoleak-in-simple_attr_read +++ a/fs/libfs.c @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode { struct simple_attr *attr; - attr = kmalloc(sizeof(*attr), GFP_KERNEL); + attr = kzalloc(sizeof(*attr), GFP_KERNEL); if (!attr) return -ENOMEM; @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *fi if (ret) return ret; - if (*ppos) { /* continued read */ + if (*ppos && attr->get_buf[0]) { + /* continued read */ size = strlen(attr->get_buf); - } else { /* first read */ + } else { + /* first read */ u64 val; ret = attr->get(attr->data, &val); if (ret)