diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-28588/0001-lib-syscall-fix-syscall-registers-retrieval-on-32-bi.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-28588/0001-lib-syscall-fix-syscall-registers-retrieval-on-32-bi.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-28588/0001-lib-syscall-fix-syscall-registers-retrieval-on-32-bi.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-28588/0001-lib-syscall-fix-syscall-registers-retrieval-on-32-bi.patch new file mode 100644 index 000000000..dc2ae62fc --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-28588/0001-lib-syscall-fix-syscall-registers-retrieval-on-32-bi.patch @@ -0,0 +1,62 @@ +From 4f134b89a24b965991e7c345b9a4591821f7c2a6 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau <w@1wt.eu> +Date: Mon, 30 Nov 2020 08:36:48 +0100 +Subject: [PATCH] lib/syscall: fix syscall registers retrieval on 32-bit + platforms + +Lilith >_> and Claudio Bozzato of Cisco Talos security team reported +that collect_syscall() improperly casts the syscall registers to 64-bit +values leaking the uninitialized last 24 bytes on 32-bit platforms, that +are visible in /proc/self/syscall. + +The cause is that info->data.args are u64 while syscall_get_arguments() +uses longs, as hinted by the bogus pointer cast in the function. + +Let's just proceed like the other call places, by retrieving the +registers into an array of longs before assigning them to the caller's +array. This was successfully tested on x86_64, i386 and ppc32. + +Reference: CVE-2020-28588, TALOS-2020-1211 +Fixes: 631b7abacd02 ("ptrace: Remove maxargs from task_current_syscall()") +Cc: Greg KH <greg@kroah.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Tested-by: Michael Ellerman <mpe@ellerman.id.au> (ppc32) +Signed-off-by: Willy Tarreau <w@1wt.eu> +Reviewed-by: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + lib/syscall.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/lib/syscall.c b/lib/syscall.c +index 8533d2fea2d7..ba13e924c430 100644 +--- a/lib/syscall.c ++++ b/lib/syscall.c +@@ -7,6 +7,7 @@ + + static int collect_syscall(struct task_struct *target, struct syscall_info *info) + { ++ unsigned long args[6] = { }; + struct pt_regs *regs; + + if (!try_get_task_stack(target)) { +@@ -27,8 +28,14 @@ static int collect_syscall(struct task_struct *target, struct syscall_info *info + + info->data.nr = syscall_get_nr(target, regs); + if (info->data.nr != -1L) +- syscall_get_arguments(target, regs, +- (unsigned long *)&info->data.args[0]); ++ syscall_get_arguments(target, regs, args); ++ ++ info->data.args[0] = args[0]; ++ info->data.args[1] = args[1]; ++ info->data.args[2] = args[2]; ++ info->data.args[3] = args[3]; ++ info->data.args[4] = args[4]; ++ info->data.args[5] = args[5]; + + put_task_stack(target); + return 0; +-- +2.17.1 + |