| Message ID | 20200308023849.988264-1-ebiggers@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | libfs: fix infoleak in simple_attr_read() | expand |
On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Reading from a debugfs file at a nonzero position, without first reading > at position 0, leaks uninitialized memory to userspace. > > It's a bit tricky to do this, since lseek() and pread() aren't allowed > on these files, and write() doesn't update the position on them. But > writing to them with splice() *does* update the position: > > #define _GNU_SOURCE 1 > #include <fcntl.h> > #include <stdio.h> > #include <unistd.h> > int main() > { > int pipes[2], fd, n, i; > char buf[32]; > > pipe(pipes); > write(pipes[1], "0", 1); > fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); > splice(pipes[0], NULL, fd, NULL, 1, 0); > n = read(fd, buf, sizeof(buf)); > for (i = 0; i < n; i++) > printf("%02x", buf[i]); > printf("\n"); > } > > Output: > 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 > > Fix the infoleak by making simple_attr_read() always fill > simple_attr::get_buf if it hasn't been filled yet. > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com > Reported-by: Alexander Potapenko <glider@google.com> > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > fs/libfs.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/fs/libfs.c b/fs/libfs.c > index c686bd9caac6..3759fbacf522 100644 > --- a/fs/libfs.c > +++ b/fs/libfs.c > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file, > { > struct simple_attr *attr; > > - attr = kmalloc(sizeof(*attr), GFP_KERNEL); > + attr = kzalloc(sizeof(*attr), GFP_KERNEL); > if (!attr) > return -ENOMEM; > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, > if (ret) > return ret; > > - if (*ppos) { /* continued read */ > + if (*ppos && attr->get_buf[0]) { > + /* continued read */ > size = strlen(attr->get_buf); > - } else { /* first read */ > + } else { > + /* first read */ > u64 val; > ret = attr->get(attr->data, &val); > if (ret) > -- > 2.25.1 Any comments on this? Al, seems this is something you should pick up? - Eric
On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote: > On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Reading from a debugfs file at a nonzero position, without first reading > > at position 0, leaks uninitialized memory to userspace. > > > > It's a bit tricky to do this, since lseek() and pread() aren't allowed > > on these files, and write() doesn't update the position on them. But > > writing to them with splice() *does* update the position: > > > > #define _GNU_SOURCE 1 > > #include <fcntl.h> > > #include <stdio.h> > > #include <unistd.h> > > int main() > > { > > int pipes[2], fd, n, i; > > char buf[32]; > > > > pipe(pipes); > > write(pipes[1], "0", 1); > > fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); > > splice(pipes[0], NULL, fd, NULL, 1, 0); > > n = read(fd, buf, sizeof(buf)); > > for (i = 0; i < n; i++) > > printf("%02x", buf[i]); > > printf("\n"); > > } > > > > Output: > > 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 > > > > Fix the infoleak by making simple_attr_read() always fill > > simple_attr::get_buf if it hasn't been filled yet. > > > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com > > Reported-by: Alexander Potapenko <glider@google.com> > > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") > > Cc: stable@vger.kernel.org > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > --- > > fs/libfs.c | 8 +++++--- > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > diff --git a/fs/libfs.c b/fs/libfs.c > > index c686bd9caac6..3759fbacf522 100644 > > --- a/fs/libfs.c > > +++ b/fs/libfs.c > > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file, > > { > > struct simple_attr *attr; > > > > - attr = kmalloc(sizeof(*attr), GFP_KERNEL); > > + attr = kzalloc(sizeof(*attr), GFP_KERNEL); > > if (!attr) > > return -ENOMEM; > > > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, > > if (ret) > > return ret; > > > > - if (*ppos) { /* continued read */ > > + if (*ppos && attr->get_buf[0]) { > > + /* continued read */ > > size = strlen(attr->get_buf); > > - } else { /* first read */ > > + } else { > > + /* first read */ > > u64 val; > > ret = attr->get(attr->data, &val); > > if (ret) > > -- > > 2.25.1 > > Any comments on this? Al, seems this is something you should pick up? > > - Eric Ping.
On Wed, Mar 18, 2020 at 09:39:40AM -0700, Eric Biggers wrote: > On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote: > > On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote: > > > From: Eric Biggers <ebiggers@google.com> > > > > > > Reading from a debugfs file at a nonzero position, without first reading > > > at position 0, leaks uninitialized memory to userspace. > > > > > > It's a bit tricky to do this, since lseek() and pread() aren't allowed > > > on these files, and write() doesn't update the position on them. But > > > writing to them with splice() *does* update the position: > > > > > > #define _GNU_SOURCE 1 > > > #include <fcntl.h> > > > #include <stdio.h> > > > #include <unistd.h> > > > int main() > > > { > > > int pipes[2], fd, n, i; > > > char buf[32]; > > > > > > pipe(pipes); > > > write(pipes[1], "0", 1); > > > fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); > > > splice(pipes[0], NULL, fd, NULL, 1, 0); > > > n = read(fd, buf, sizeof(buf)); > > > for (i = 0; i < n; i++) > > > printf("%02x", buf[i]); > > > printf("\n"); > > > } > > > > > > Output: > > > 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 > > > > > > Fix the infoleak by making simple_attr_read() always fill > > > simple_attr::get_buf if it hasn't been filled yet. > > > > > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com > > > Reported-by: Alexander Potapenko <glider@google.com> > > > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") > > > Cc: stable@vger.kernel.org > > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > > --- > > > fs/libfs.c | 8 +++++--- > > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > > > diff --git a/fs/libfs.c b/fs/libfs.c > > > index c686bd9caac6..3759fbacf522 100644 > > > --- a/fs/libfs.c > > > +++ b/fs/libfs.c > > > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file, > > > { > > > struct simple_attr *attr; > > > > > > - attr = kmalloc(sizeof(*attr), GFP_KERNEL); > > > + attr = kzalloc(sizeof(*attr), GFP_KERNEL); > > > if (!attr) > > > return -ENOMEM; > > > > > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, > > > if (ret) > > > return ret; > > > > > > - if (*ppos) { /* continued read */ > > > + if (*ppos && attr->get_buf[0]) { > > > + /* continued read */ > > > size = strlen(attr->get_buf); > > > - } else { /* first read */ > > > + } else { > > > + /* first read */ > > > u64 val; > > > ret = attr->get(attr->data, &val); > > > if (ret) > > > -- > > > 2.25.1 > > > > Any comments on this? Al, seems this is something you should pick up? > > > > - Eric > > Ping. > Andrew, can you consider taking this patch? Al has been ignoring it, and this seems like a fairly important fix. This bug affects many (most?) debugfs files, and it affects years old kernels too not just recent ones. Thanks, - Eric
On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Reading from a debugfs file at a nonzero position, without first reading > at position 0, leaks uninitialized memory to userspace. > > It's a bit tricky to do this, since lseek() and pread() aren't allowed > on these files, and write() doesn't update the position on them. But > writing to them with splice() *does* update the position: > > #define _GNU_SOURCE 1 > #include <fcntl.h> > #include <stdio.h> > #include <unistd.h> > int main() > { > int pipes[2], fd, n, i; > char buf[32]; > > pipe(pipes); > write(pipes[1], "0", 1); > fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); > splice(pipes[0], NULL, fd, NULL, 1, 0); > n = read(fd, buf, sizeof(buf)); > for (i = 0; i < n; i++) > printf("%02x", buf[i]); > printf("\n"); > } > > Output: > 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 > > Fix the infoleak by making simple_attr_read() always fill > simple_attr::get_buf if it hasn't been filled yet. > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com > Reported-by: Alexander Potapenko <glider@google.com> > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers <ebiggers@google.com> Yikes, that's an important fix! Acked-by: Kees Cook <keescook@chromium.org> Luckily (as Alexander mentioned too), most distros make debugfs non-accessible by non-root (I hope): $ ls -lda /sys/kernel/debug drwx------ 39 root root 0 Jan 8 09:10 /sys/kernel/debug/ That function is also exposed via DEFINE_SIMPLE_ATTRIBUTE(), but those users appear to also be mostly (all?) debugfs too. And, just to note, for v5.3 and later, this would be fully mitigated by booting with "init_on_alloc=1". -Kees > --- > fs/libfs.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/fs/libfs.c b/fs/libfs.c > index c686bd9caac6..3759fbacf522 100644 > --- a/fs/libfs.c > +++ b/fs/libfs.c > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file, > { > struct simple_attr *attr; > > - attr = kmalloc(sizeof(*attr), GFP_KERNEL); > + attr = kzalloc(sizeof(*attr), GFP_KERNEL); > if (!attr) > return -ENOMEM; > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, > if (ret) > return ret; > > - if (*ppos) { /* continued read */ > + if (*ppos && attr->get_buf[0]) { > + /* continued read */ > size = strlen(attr->get_buf); > - } else { /* first read */ > + } else { > + /* first read */ > u64 val; > ret = attr->get(attr->data, &val); > if (ret) > -- > 2.25.1 >
On Sat, Mar 21, 2020 at 08:56:20PM -0700, Eric Biggers wrote: > On Wed, Mar 18, 2020 at 09:39:40AM -0700, Eric Biggers wrote: > > On Fri, Mar 13, 2020 at 09:45:11AM -0700, Eric Biggers wrote: > > > On Sat, Mar 07, 2020 at 06:38:49PM -0800, Eric Biggers wrote: > > > > From: Eric Biggers <ebiggers@google.com> > > > > > > > > Reading from a debugfs file at a nonzero position, without first reading > > > > at position 0, leaks uninitialized memory to userspace. > > > > > > > > It's a bit tricky to do this, since lseek() and pread() aren't allowed > > > > on these files, and write() doesn't update the position on them. But > > > > writing to them with splice() *does* update the position: > > > > > > > > #define _GNU_SOURCE 1 > > > > #include <fcntl.h> > > > > #include <stdio.h> > > > > #include <unistd.h> > > > > int main() > > > > { > > > > int pipes[2], fd, n, i; > > > > char buf[32]; > > > > > > > > pipe(pipes); > > > > write(pipes[1], "0", 1); > > > > fd = open("/sys/kernel/debug/fault_around_bytes", O_RDWR); > > > > splice(pipes[0], NULL, fd, NULL, 1, 0); > > > > n = read(fd, buf, sizeof(buf)); > > > > for (i = 0; i < n; i++) > > > > printf("%02x", buf[i]); > > > > printf("\n"); > > > > } > > > > > > > > Output: > > > > 5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a30 > > > > > > > > Fix the infoleak by making simple_attr_read() always fill > > > > simple_attr::get_buf if it hasn't been filled yet. > > > > > > > > Reported-by: syzbot+fcab69d1ada3e8d6f06b@syzkaller.appspotmail.com > > > > Reported-by: Alexander Potapenko <glider@google.com> > > > > Fixes: acaefc25d21f ("[PATCH] libfs: add simple attribute files") > > > > Cc: stable@vger.kernel.org > > > > Signed-off-by: Eric Biggers <ebiggers@google.com> > > > > --- > > > > fs/libfs.c | 8 +++++--- > > > > 1 file changed, 5 insertions(+), 3 deletions(-) > > > > > > > > diff --git a/fs/libfs.c b/fs/libfs.c > > > > index c686bd9caac6..3759fbacf522 100644 > > > > --- a/fs/libfs.c > > > > +++ b/fs/libfs.c > > > > @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file, > > > > { > > > > struct simple_attr *attr; > > > > > > > > - attr = kmalloc(sizeof(*attr), GFP_KERNEL); > > > > + attr = kzalloc(sizeof(*attr), GFP_KERNEL); > > > > if (!attr) > > > > return -ENOMEM; > > > > > > > > @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, > > > > if (ret) > > > > return ret; > > > > > > > > - if (*ppos) { /* continued read */ > > > > + if (*ppos && attr->get_buf[0]) { > > > > + /* continued read */ > > > > size = strlen(attr->get_buf); > > > > - } else { /* first read */ > > > > + } else { > > > > + /* first read */ > > > > u64 val; > > > > ret = attr->get(attr->data, &val); > > > > if (ret) > > > > -- > > > > 2.25.1 > > > > > > Any comments on this? Al, seems this is something you should pick up? > > > > > > - Eric > > > > Ping. > > > > Andrew, can you consider taking this patch? Al has been ignoring it, and this > seems like a fairly important fix. This bug affects many (most?) debugfs files, > and it affects years old kernels too not just recent ones. As it affects debugfs files, I'll grab it now, thanks. greg k-h
diff --git a/fs/libfs.c b/fs/libfs.c index c686bd9caac6..3759fbacf522 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -891,7 +891,7 @@ int simple_attr_open(struct inode *inode, struct file *file, { struct simple_attr *attr; - attr = kmalloc(sizeof(*attr), GFP_KERNEL); + attr = kzalloc(sizeof(*attr), GFP_KERNEL); if (!attr) return -ENOMEM; @@ -931,9 +931,11 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, if (ret) return ret; - if (*ppos) { /* continued read */ + if (*ppos && attr->get_buf[0]) { + /* continued read */ size = strlen(attr->get_buf); - } else { /* first read */ + } else { + /* first read */ u64 val; ret = attr->get(attr->data, &val); if (ret)