• Willy Tarreau's avatar
    lib/syscall: fix syscall registers retrieval on 32-bit platforms · 4f134b89
    Willy Tarreau authored
    Lilith >_> and Claudio Bozzato of Cisco Talos security team reported
    that collect_syscall() improperly casts the syscall registers to 64-bit
    values leaking the uninitialized last 24 bytes on 32-bit platforms, that
    are visible in /proc/self/syscall.
    
    The cause is that info->data.args are u64 while syscall_get_arguments()
    uses longs, as hinted by the bogus pointer cast in the function.
    
    Let's just proceed like the other call places, by retrieving the
    registers into an array of longs before assigning them to the caller's
    array.  This was successfully tested on x86_64, i386 and ppc32.
    
    Reference: CVE-2020-28588, TALOS-2020-1211
    Fixes: 631b7aba ("ptrace: Remove maxargs from task_current_syscall()")
    Cc: Greg KH <greg@kroah.com>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32)
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    4f134b89
syscall.c 2.66 KB