signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
authorEric W. Biederman <ebiederm@xmission.com>
Tue, 28 May 2019 23:46:37 +0000 (18:46 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 22 Jun 2019 06:17:18 +0000 (08:17 +0200)
commit2fc1de48326fd22b1e1be4fa050fb3a710fe2327
treedd45fe66301212d6e2c56a2dd07484d1f521c7f5
parentd9d0c83c8d23ff93c5c72bff031c0d5ac1014a9f
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO

[ Upstream commit f6e2aa91a46d2bc79fce9b93a988dbe7655c90c0 ]

Recently syzbot in conjunction with KMSAN reported that
ptrace_peek_siginfo can copy an uninitialized siginfo to userspace.
Inspecting ptrace_peek_siginfo confirms this.

The problem is that off when initialized from args.off can be
initialized to a negaive value.  At which point the "if (off >= 0)"
test to see if off became negative fails because off started off
negative.

Prevent the core problem by adding a variable found that is only true
if a siginfo is found and copied to a temporary in preparation for
being copied to userspace.

Prevent args.off from being truncated when being assigned to off by
testing that off is <= the maximum possible value of off.  Convert off
to an unsigned long so that we should not have to truncate args.off,
we have well defined overflow behavior so if we add another check we
won't risk fighting undefined compiler behavior, and so that we have a
type whose maximum value is easy to test for.

Cc: Andrei Vagin <avagin@gmail.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
Fixes: 84c751bd4aeb ("ptrace: add ability to retrieve signals without removing from a queue (v4)")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
kernel/ptrace.c