https://github.com/torvalds/linux
Revision 4f134b89a24b965991e7c345b9a4591821f7c2a6 authored by Willy Tarreau on 30 November 2020, 07:36:48 UTC, committed by Linus Torvalds on 03 December 2020, 17:52:44 UTC
Lilith >_> and Claudio Bozzato of Cisco Talos security team reported
that collect_syscall() improperly casts the syscall registers to 64-bit
values leaking the uninitialized last 24 bytes on 32-bit platforms, that
are visible in /proc/self/syscall.
The cause is that info->data.args are u64 while syscall_get_arguments()
uses longs, as hinted by the bogus pointer cast in the function.
Let's just proceed like the other call places, by retrieving the
registers into an array of longs before assigning them to the caller's
array. This was successfully tested on x86_64, i386 and ppc32.
Reference: CVE-2020-28588, TALOS-2020-1211
Fixes: 631b7abacd02 ("ptrace: Remove maxargs from task_current_syscall()")
Cc: Greg KH <greg@kroah.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32)
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 34816d2
Tip revision: 4f134b89a24b965991e7c345b9a4591821f7c2a6 authored by Willy Tarreau on 30 November 2020, 07:36:48 UTC
lib/syscall: fix syscall registers retrieval on 32-bit platforms
lib/syscall: fix syscall registers retrieval on 32-bit platforms
Tip revision: 4f134b8
| File | Mode | Size |
|---|---|---|
| Documentation | ||
| LICENSES | ||
| arch | ||
| block | ||
| certs | ||
| crypto | ||
| drivers | ||
| fs | ||
| include | ||
| init | ||
| ipc | ||
| kernel | ||
| lib | ||
| mm | ||
| net | ||
| samples | ||
| scripts | ||
| security | ||
| sound | ||
| tools | ||
| usr | ||
| virt | ||
| .clang-format | -rw-r--r-- | 16.3 KB |
| .cocciconfig | -rw-r--r-- | 59 bytes |
| .get_maintainer.ignore | -rw-r--r-- | 71 bytes |
| .gitattributes | -rw-r--r-- | 62 bytes |
| .gitignore | -rw-r--r-- | 1.8 KB |
| .mailmap | -rw-r--r-- | 17.7 KB |
| COPYING | -rw-r--r-- | 496 bytes |
| CREDITS | -rw-r--r-- | 98.0 KB |
| Kbuild | -rw-r--r-- | 1.3 KB |
| Kconfig | -rw-r--r-- | 555 bytes |
| MAINTAINERS | -rw-r--r-- | 562.3 KB |
| Makefile | -rw-r--r-- | 62.6 KB |
| README | -rw-r--r-- | 727 bytes |
Computing file changes ...
