• Eric W. Biederman's avatar
    signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO · f6e2aa91
    Eric W. Biederman authored
    Recently syzbot in conjunction with KMSAN reported that
    ptrace_peek_siginfo can copy an uninitialized siginfo to userspace.
    Inspecting ptrace_peek_siginfo confirms this.
    
    The problem is that off when initialized from args.off can be
    initialized to a negaive value.  At which point the "if (off >= 0)"
    test to see if off became negative fails because off started off
    negative.
    
    Prevent the core problem by adding a variable found that is only true
    if a siginfo is found and copied to a temporary in preparation for
    being copied to userspace.
    
    Prevent args.off from being truncated when being assigned to off by
    testing that off is <= the maximum possible value of off.  Convert off
    to an unsigned long so that we should not have to truncate args.off,
    we have well defined overflow behavior so if we add another check we
    won't risk fighting undefined compiler behavior, and so that we have a
    type whose maximum value is easy to test for.
    
    Cc: Andrei Vagin <avagin@gmail.com>
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+0d602a1b0d8c95bdf299@syzkaller.appspotmail.com
    Fixes: 84c751bd ("ptrace: add ability to retrieve signals without removing from a queue (v4)")
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    f6e2aa91
ptrace.c 32.7 KB