Commit bf6dd9a5 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'seccomp-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull seccomp fixes from Kees Cook:
 "Fixes for seccomp_notify_ioctl uapi sanity from Sargun Dhillon.

  The bulk of this is fixing the surrounding samples and selftests so
  that seccomp can correctly validate the seccomp_notify_ioctl buffer as
  being initially zeroed.

  Summary:

   - Fix samples and selftests to zero passed-in buffer

   - Enforce zeroed buffer checking

   - Verify buffer sanity check in selftest"

* tag 'seccomp-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV
  seccomp: Check that seccomp_notif is zeroed out by the user
  selftests/seccomp: Zero out seccomp_notif
  samples/seccomp: Zero out members based on seccomp_notif_sizes
parents 278b14eb e4ab5ccc
...@@ -1026,6 +1026,13 @@ static long seccomp_notify_recv(struct seccomp_filter *filter, ...@@ -1026,6 +1026,13 @@ static long seccomp_notify_recv(struct seccomp_filter *filter,
struct seccomp_notif unotif; struct seccomp_notif unotif;
ssize_t ret; ssize_t ret;
/* Verify that we're not given garbage to keep struct extensible. */
ret = check_zeroed_user(buf, sizeof(unotif));
if (ret < 0)
return ret;
if (!ret)
return -EINVAL;
memset(&unotif, 0, sizeof(unotif)); memset(&unotif, 0, sizeof(unotif));
ret = down_interruptible(&filter->notif->request); ret = down_interruptible(&filter->notif->request);
......
...@@ -298,14 +298,14 @@ int main(void) ...@@ -298,14 +298,14 @@ int main(void)
req = malloc(sizes.seccomp_notif); req = malloc(sizes.seccomp_notif);
if (!req) if (!req)
goto out_close; goto out_close;
memset(req, 0, sizeof(*req));
resp = malloc(sizes.seccomp_notif_resp); resp = malloc(sizes.seccomp_notif_resp);
if (!resp) if (!resp)
goto out_req; goto out_req;
memset(resp, 0, sizeof(*resp)); memset(resp, 0, sizes.seccomp_notif_resp);
while (1) { while (1) {
memset(req, 0, sizes.seccomp_notif);
if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) { if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) {
perror("ioctl recv"); perror("ioctl recv");
goto out_resp; goto out_resp;
......
...@@ -3158,7 +3158,18 @@ TEST(user_notification_basic) ...@@ -3158,7 +3158,18 @@ TEST(user_notification_basic)
EXPECT_GT(poll(&pollfd, 1, -1), 0); EXPECT_GT(poll(&pollfd, 1, -1), 0);
EXPECT_EQ(pollfd.revents, POLLIN); EXPECT_EQ(pollfd.revents, POLLIN);
/* Test that we can't pass garbage to the kernel. */
memset(&req, 0, sizeof(req));
req.pid = -1;
errno = 0;
ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);
EXPECT_EQ(-1, ret);
EXPECT_EQ(EINVAL, errno);
if (ret) {
req.pid = 0;
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
}
pollfd.fd = listener; pollfd.fd = listener;
pollfd.events = POLLIN | POLLOUT; pollfd.events = POLLIN | POLLOUT;
...@@ -3278,6 +3289,7 @@ TEST(user_notification_signal) ...@@ -3278,6 +3289,7 @@ TEST(user_notification_signal)
close(sk_pair[1]); close(sk_pair[1]);
memset(&req, 0, sizeof(req));
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
EXPECT_EQ(kill(pid, SIGUSR1), 0); EXPECT_EQ(kill(pid, SIGUSR1), 0);
...@@ -3296,6 +3308,7 @@ TEST(user_notification_signal) ...@@ -3296,6 +3308,7 @@ TEST(user_notification_signal)
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1); EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
EXPECT_EQ(errno, ENOENT); EXPECT_EQ(errno, ENOENT);
memset(&req, 0, sizeof(req));
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0); EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
resp.id = req.id; resp.id = req.id;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment