diff mbox series

libfs: fix infoleak in simple_attr_read()

Message ID 20200308023849.988264-1-ebiggers@kernel.org (mailing list archive)
State New, archived
Headers show
Series libfs: fix infoleak in simple_attr_read() | expand

Commit Message

Eric Biggers March 8, 2020, 2:38 a.m. UTC
From: Eric Biggers <ebiggers@google.com>

Reading from a debugfs file at a nonzero position, without first reading
at position 0, leaks uninitialized memory to userspace.

It's a bit tricky to do this, since lseek() and pread() aren't allowed
on these files, and write() doesn't update the position on them.  But
writing to them with splice() *does* update the position:

	#define _GNU_SOURCE 1
	#include <fcntl.h>
	#include <stdio.h>
	#include <unistd.h>
	int main()
	{
		int pipes[2], fd, n, i;
		char buf[32];

		pipe(pipes);
		write(pipes[1], "0", 1);
		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
		splice(pipes[0], NULL, fd, NULL, 1, 0);
		n = read(fd, buf, sizeof(buf));
		for (i = 0; i < n; i++)
			printf("%02x", buf[i]);
		printf("\n");
	}

Output:
	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30

Fix the infoleak by making simple_attr_read() always fill
simple_attr::get_buf if it hasn't been filled yet.

Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
Reported-by: Alexander Potapenko <glider@google.com>
Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/libfs.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Eric Biggers March 13, 2020, 4:45 p.m. UTC | #1
On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Reading from a debugfs file at a nonzero position, without first reading
> at position 0, leaks uninitialized memory to userspace.
> 
> It's a bit tricky to do this, since lseek() and pread() aren't allowed
> on these files, and write() doesn't update the position on them.  But
> writing to them with splice() *does* update the position:
> 
> 	#define _GNU_SOURCE 1
> 	#include <fcntl.h>
> 	#include <stdio.h>
> 	#include <unistd.h>
> 	int main()
> 	{
> 		int pipes[2], fd, n, i;
> 		char buf[32];
> 
> 		pipe(pipes);
> 		write(pipes[1], "0", 1);
> 		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> 		splice(pipes[0], NULL, fd, NULL, 1, 0);
> 		n = read(fd, buf, sizeof(buf));
> 		for (i = 0; i < n; i++)
> 			printf("%02x", buf[i]);
> 		printf("\n");
> 	}
> 
> Output:
> 	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> 
> Fix the infoleak by making simple_attr_read() always fill
> simple_attr::get_buf if it hasn't been filled yet.
> 
> Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
> Reported-by: Alexander Potapenko <glider@google.com>
> Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  fs/libfs.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/libfs.c b/fs/libfs.c
> index c686bd9caac6..3759fbacf522 100644
> --- a/fs/libfs.c
> +++ b/fs/libfs.c
> @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
>  {
>  	struct simple_attr *attr;
>  
> -	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> +	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
>  	if (!attr)
>  		return -ENOMEM;
>  
> @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
>  	if (ret)
>  		return ret;
>  
> -	if (*ppos) {		/* continued read */
> +	if (*ppos && attr->get_buf[0]) {
> +		/* continued read */
>  		size = strlen(attr->get_buf);
> -	} else {		/* first read */
> +	} else {
> +		/* first read */
>  		u64 val;
>  		ret = attr->get(attr->data, &val);
>  		if (ret)
> -- 
> 2.25.1

Any comments on this?  Al, seems this is something you should pick up?

- Eric
Eric Biggers March 18, 2020, 4:39 p.m. UTC | #2
On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote:
> On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > Reading from a debugfs file at a nonzero position, without first reading
> > at position 0, leaks uninitialized memory to userspace.
> > 
> > It's a bit tricky to do this, since lseek() and pread() aren't allowed
> > on these files, and write() doesn't update the position on them.  But
> > writing to them with splice() *does* update the position:
> > 
> > 	#define _GNU_SOURCE 1
> > 	#include <fcntl.h>
> > 	#include <stdio.h>
> > 	#include <unistd.h>
> > 	int main()
> > 	{
> > 		int pipes[2], fd, n, i;
> > 		char buf[32];
> > 
> > 		pipe(pipes);
> > 		write(pipes[1], "0", 1);
> > 		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> > 		splice(pipes[0], NULL, fd, NULL, 1, 0);
> > 		n = read(fd, buf, sizeof(buf));
> > 		for (i = 0; i < n; i++)
> > 			printf("%02x", buf[i]);
> > 		printf("\n");
> > 	}
> > 
> > Output:
> > 	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> > 
> > Fix the infoleak by making simple_attr_read() always fill
> > simple_attr::get_buf if it hasn't been filled yet.
> > 
> > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
> > Reported-by: Alexander Potapenko <glider@google.com>
> > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> >  fs/libfs.c | 8 +++++---
> >  1 file changed, 5 insertions(+), 3 deletions(-)
> > 
> > diff --git a/fs/libfs.c b/fs/libfs.c
> > index c686bd9caac6..3759fbacf522 100644
> > --- a/fs/libfs.c
> > +++ b/fs/libfs.c
> > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
> >  {
> >  	struct simple_attr *attr;
> >  
> > -	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> > +	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
> >  	if (!attr)
> >  		return -ENOMEM;
> >  
> > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
> >  	if (ret)
> >  		return ret;
> >  
> > -	if (*ppos) {		/* continued read */
> > +	if (*ppos && attr->get_buf[0]) {
> > +		/* continued read */
> >  		size = strlen(attr->get_buf);
> > -	} else {		/* first read */
> > +	} else {
> > +		/* first read */
> >  		u64 val;
> >  		ret = attr->get(attr->data, &val);
> >  		if (ret)
> > -- 
> > 2.25.1
> 
> Any comments on this?  Al, seems this is something you should pick up?
> 
> - Eric

Ping.
Eric Biggers March 22, 2020, 3:56 a.m. UTC | #3
On Wed, Mar 18, 2020 at 09:39:40AM -0700, Eric Biggers wrote:
> On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote:
> > On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@google.com>
> > > 
> > > Reading from a debugfs file at a nonzero position, without first reading
> > > at position 0, leaks uninitialized memory to userspace.
> > > 
> > > It's a bit tricky to do this, since lseek() and pread() aren't allowed
> > > on these files, and write() doesn't update the position on them.  But
> > > writing to them with splice() *does* update the position:
> > > 
> > > 	#define _GNU_SOURCE 1
> > > 	#include <fcntl.h>
> > > 	#include <stdio.h>
> > > 	#include <unistd.h>
> > > 	int main()
> > > 	{
> > > 		int pipes[2], fd, n, i;
> > > 		char buf[32];
> > > 
> > > 		pipe(pipes);
> > > 		write(pipes[1], "0", 1);
> > > 		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> > > 		splice(pipes[0], NULL, fd, NULL, 1, 0);
> > > 		n = read(fd, buf, sizeof(buf));
> > > 		for (i = 0; i < n; i++)
> > > 			printf("%02x", buf[i]);
> > > 		printf("\n");
> > > 	}
> > > 
> > > Output:
> > > 	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> > > 
> > > Fix the infoleak by making simple_attr_read() always fill
> > > simple_attr::get_buf if it hasn't been filled yet.
> > > 
> > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
> > > Reported-by: Alexander Potapenko <glider@google.com>
> > > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > ---
> > >  fs/libfs.c | 8 +++++---
> > >  1 file changed, 5 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/fs/libfs.c b/fs/libfs.c
> > > index c686bd9caac6..3759fbacf522 100644
> > > --- a/fs/libfs.c
> > > +++ b/fs/libfs.c
> > > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
> > >  {
> > >  	struct simple_attr *attr;
> > >  
> > > -	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> > > +	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
> > >  	if (!attr)
> > >  		return -ENOMEM;
> > >  
> > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
> > >  	if (ret)
> > >  		return ret;
> > >  
> > > -	if (*ppos) {		/* continued read */
> > > +	if (*ppos && attr->get_buf[0]) {
> > > +		/* continued read */
> > >  		size = strlen(attr->get_buf);
> > > -	} else {		/* first read */
> > > +	} else {
> > > +		/* first read */
> > >  		u64 val;
> > >  		ret = attr->get(attr->data, &val);
> > >  		if (ret)
> > > -- 
> > > 2.25.1
> > 
> > Any comments on this?  Al, seems this is something you should pick up?
> > 
> > - Eric
> 
> Ping.
> 

Andrew, can you consider taking this patch?  Al has been ignoring it, and this
seems like a fairly important fix.  This bug affects many (most?) debugfs files,
and it affects years old kernels too not just recent ones.

Thanks,

- Eric
Kees Cook March 22, 2020, 4:57 p.m. UTC | #4
On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Reading from a debugfs file at a nonzero position, without first reading
> at position 0, leaks uninitialized memory to userspace.
> 
> It's a bit tricky to do this, since lseek() and pread() aren't allowed
> on these files, and write() doesn't update the position on them.  But
> writing to them with splice() *does* update the position:
> 
> 	#define _GNU_SOURCE 1
> 	#include <fcntl.h>
> 	#include <stdio.h>
> 	#include <unistd.h>
> 	int main()
> 	{
> 		int pipes[2], fd, n, i;
> 		char buf[32];
> 
> 		pipe(pipes);
> 		write(pipes[1], "0", 1);
> 		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> 		splice(pipes[0], NULL, fd, NULL, 1, 0);
> 		n = read(fd, buf, sizeof(buf));
> 		for (i = 0; i < n; i++)
> 			printf("%02x", buf[i]);
> 		printf("\n");
> 	}
> 
> Output:
> 	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> 
> Fix the infoleak by making simple_attr_read() always fill
> simple_attr::get_buf if it hasn't been filled yet.
> 
> Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
> Reported-by: Alexander Potapenko <glider@google.com>
> Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Yikes, that's an important fix!

Acked-by: Kees Cook <keescook@chromium.org>

Luckily (as Alexander mentioned too), most distros make debugfs
non-accessible by non-root (I hope):

$ ls -lda /sys/kernel/debug
drwx------ 39 root root 0 Jan  8 09:10 /sys/kernel/debug/

That function is also exposed via DEFINE_SIMPLE_ATTRIBUTE(), but those
users appear to also be mostly (all?) debugfs too.

And, just to note, for v5.3 and later, this would be fully mitigated by
booting with "init_on_alloc=1".

-Kees

> ---
>  fs/libfs.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/libfs.c b/fs/libfs.c
> index c686bd9caac6..3759fbacf522 100644
> --- a/fs/libfs.c
> +++ b/fs/libfs.c
> @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
>  {
>  	struct simple_attr *attr;
>  
> -	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> +	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
>  	if (!attr)
>  		return -ENOMEM;
>  
> @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
>  	if (ret)
>  		return ret;
>  
> -	if (*ppos) {		/* continued read */
> +	if (*ppos && attr->get_buf[0]) {
> +		/* continued read */
>  		size = strlen(attr->get_buf);
> -	} else {		/* first read */
> +	} else {
> +		/* first read */
>  		u64 val;
>  		ret = attr->get(attr->data, &val);
>  		if (ret)
> -- 
> 2.25.1
>
Greg KH March 24, 2020, 12:13 p.m. UTC | #5
On Sat, Mar 21, 2020 at 08:56:20PM -0700, Eric Biggers wrote:
> On Wed, Mar 18, 2020 at 09:39:40AM -0700, Eric Biggers wrote:
> > On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote:
> > > On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@google.com>
> > > > 
> > > > Reading from a debugfs file at a nonzero position, without first reading
> > > > at position 0, leaks uninitialized memory to userspace.
> > > > 
> > > > It's a bit tricky to do this, since lseek() and pread() aren't allowed
> > > > on these files, and write() doesn't update the position on them.  But
> > > > writing to them with splice() *does* update the position:
> > > > 
> > > > 	#define _GNU_SOURCE 1
> > > > 	#include <fcntl.h>
> > > > 	#include <stdio.h>
> > > > 	#include <unistd.h>
> > > > 	int main()
> > > > 	{
> > > > 		int pipes[2], fd, n, i;
> > > > 		char buf[32];
> > > > 
> > > > 		pipe(pipes);
> > > > 		write(pipes[1], "0", 1);
> > > > 		fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR);
> > > > 		splice(pipes[0], NULL, fd, NULL, 1, 0);
> > > > 		n = read(fd, buf, sizeof(buf));
> > > > 		for (i = 0; i < n; i++)
> > > > 			printf("%02x", buf[i]);
> > > > 		printf("\n");
> > > > 	}
> > > > 
> > > > Output:
> > > > 	5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30
> > > > 
> > > > Fix the infoleak by making simple_attr_read() always fill
> > > > simple_attr::get_buf if it hasn't been filled yet.
> > > > 
> > > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com
> > > > Reported-by: Alexander Potapenko <glider@google.com>
> > > > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files")
> > > > Cc: stable@vger.kernel.org
> > > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > > ---
> > > >  fs/libfs.c | 8 +++++---
> > > >  1 file changed, 5 insertions(+), 3 deletions(-)
> > > > 
> > > > diff --git a/fs/libfs.c b/fs/libfs.c
> > > > index c686bd9caac6..3759fbacf522 100644
> > > > --- a/fs/libfs.c
> > > > +++ b/fs/libfs.c
> > > > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file,
> > > >  {
> > > >  	struct simple_attr *attr;
> > > >  
> > > > -	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
> > > > +	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
> > > >  	if (!attr)
> > > >  		return -ENOMEM;
> > > >  
> > > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
> > > >  	if (ret)
> > > >  		return ret;
> > > >  
> > > > -	if (*ppos) {		/* continued read */
> > > > +	if (*ppos && attr->get_buf[0]) {
> > > > +		/* continued read */
> > > >  		size = strlen(attr->get_buf);
> > > > -	} else {		/* first read */
> > > > +	} else {
> > > > +		/* first read */
> > > >  		u64 val;
> > > >  		ret = attr->get(attr->data, &val);
> > > >  		if (ret)
> > > > -- 
> > > > 2.25.1
> > > 
> > > Any comments on this?  Al, seems this is something you should pick up?
> > > 
> > > - Eric
> > 
> > Ping.
> > 
> 
> Andrew, can you consider taking this patch?  Al has been ignoring it, and this
> seems like a fairly important fix.  This bug affects many (most?) debugfs files,
> and it affects years old kernels too not just recent ones.

As it affects debugfs files, I'll grab it now, thanks.

greg k-h
diff mbox series

Patch

diff --git a/fs/libfs.c b/fs/libfs.c
index c686bd9caac6..3759fbacf522 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -891,7 +891,7 @@  int simple_attr_open(struct inode *inode, struct file *file,
 {
 	struct simple_attr *attr;
 
-	attr = kmalloc(sizeof(*attr), GFP_KERNEL);
+	attr = kzalloc(sizeof(*attr), GFP_KERNEL);
 	if (!attr)
 		return -ENOMEM;
 
@@ -931,9 +931,11 @@  ssize_t simple_attr_read(struct file *file, char __user *buf,
 	if (ret)
 		return ret;
 
-	if (*ppos) {		/* continued read */
+	if (*ppos && attr->get_buf[0]) {
+		/* continued read */
 		size = strlen(attr->get_buf);
-	} else {		/* first read */
+	} else {
+		/* first read */
 		u64 val;
 		ret = attr->get(attr->data, &val);
 		if (ret)