git.baikalelectronics.ru Git - kernel.git/commit

author	Willy Tarreau <w@1wt.eu>
	Mon, 30 Nov 2020 07:36:48 +0000 (08:36 +0100)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Thu, 3 Dec 2020 17:52:44 +0000 (09:52 -0800)
commit	8e8ae274cd3251b84fd37fc588cb9609d302ceba
tree	3f65307ed6e24b0f227f00b3dc301ad8f36dea3e	tree \| snapshot
parent	d4100a62676d57b5c2ccbb1029ecd77f93330db1	commit \| diff

lib/syscall: fix syscall registers retrieval on 32-bit platforms

Lilith >_> and Claudio Bozzato of Cisco Talos security team reported
that collect_syscall() improperly casts the syscall registers to 64-bit
values leaking the uninitialized last 24 bytes on 32-bit platforms, that
are visible in /proc/self/syscall.

The cause is that info->data.args are u64 while syscall_get_arguments()
uses longs, as hinted by the bogus pointer cast in the function.

Let's just proceed like the other call places, by retrieving the
registers into an array of longs before assigning them to the caller's
array. This was successfully tested on x86_64, i386 and ppc32.

Reference: CVE-2020-28588, TALOS-2020-1211
Fixes: 69c6b12e1ce4 ("ptrace: Remove maxargs from task_current_syscall()")
Cc: Greg KH <greg@kroah.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32)
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>