Fixes for seccomp_notify_ioctl uapi sanity
- Fix samples and selftests to zero passed-in buffer (Sargun Dhillon) - Enforce zeroed buffer checking (Sargun Dhillon) - Verify buffer sanity check in selftest (Sargun Dhillon) -----BEGIN PGP SIGNATURE----- Comment: Kees Cook <kees@outflux.net> iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAl4OX5wWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJtJZD/4iLG7mOUQNXdcPidjcIMO/tjST UzW+9Cb3buePgmCHO9v1TKGL29fVwP5TkuxdrBYDGrJ4rEYANSDX0aNmpHsO8/8M 2/B/Lo/f9cxFgoKI4QLY2XZ1YR+zkH980mtIG7ZcpYjsNl5AwmT27m2lo6iE7J+x 7rsaTRPFmUfgbblB6Z5gNwwATudrWJgq066lY2fg3GADP81s6lGQB+ul8rtu84ME mTvtb3w6piJb3E+DeYY8p4ykyiewDuYqZWDY+dvWi3kRDjNWX+yFJaPW0YNhM+yh HaMXnbuh6gDyCbeUHorC9ypQhJJKzEWCUW8e60BND+fOFCdKMa1AdCtlXWHjrXDQ x9hUgQ3UhEedYtQeYtYuoltf0W8Ft4wAapxKJJRegYPQ0RPOgcfdAg4UquusCaLo fWK2Hy4XFrxOwISqsFUczUVkBcXl+w0GGH59pSyTImgoQPlTpbVP6f7Axbl+qpKo pqOe4bO8curLGlZpdBN6syR5Ik0bizQK0kDZeo+wPmEClp/1zJWMJ4MTP4T80rxY 74DiQyfNH2iHfsOkdfHCsJC3jM8nmdKk5wMqtrAiIoT8/vdTBgumHrnmkORWFf8c R/NHCCLVs9q9sKV0s+VUR3OM2RjqpG1Wo/EBjTlbDQnibC5qdha8X2uVJWIHiF61 ZgwZ9BoKV/+mKSqTAQ== =WgBI -----END PGP SIGNATURE----- Merge tag 'seccomp-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fixes from Kees Cook: "Fixes for seccomp_notify_ioctl uapi sanity from Sargun Dhillon. The bulk of this is fixing the surrounding samples and selftests so that seccomp can correctly validate the seccomp_notify_ioctl buffer as being initially zeroed. Summary: - Fix samples and selftests to zero passed-in buffer - Enforce zeroed buffer checking - Verify buffer sanity check in selftest" * tag 'seccomp-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV seccomp: Check that seccomp_notif is zeroed out by the user selftests/seccomp: Zero out seccomp_notif samples/seccomp: Zero out members based on seccomp_notif_sizes
This commit is contained in:
commit
bf6dd9a58e
@ -1026,6 +1026,13 @@ static long seccomp_notify_recv(struct seccomp_filter *filter,
|
||||
struct seccomp_notif unotif;
|
||||
ssize_t ret;
|
||||
|
||||
/* Verify that we're not given garbage to keep struct extensible. */
|
||||
ret = check_zeroed_user(buf, sizeof(unotif));
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
if (!ret)
|
||||
return -EINVAL;
|
||||
|
||||
memset(&unotif, 0, sizeof(unotif));
|
||||
|
||||
ret = down_interruptible(&filter->notif->request);
|
||||
|
@ -298,14 +298,14 @@ int main(void)
|
||||
req = malloc(sizes.seccomp_notif);
|
||||
if (!req)
|
||||
goto out_close;
|
||||
memset(req, 0, sizeof(*req));
|
||||
|
||||
resp = malloc(sizes.seccomp_notif_resp);
|
||||
if (!resp)
|
||||
goto out_req;
|
||||
memset(resp, 0, sizeof(*resp));
|
||||
memset(resp, 0, sizes.seccomp_notif_resp);
|
||||
|
||||
while (1) {
|
||||
memset(req, 0, sizes.seccomp_notif);
|
||||
if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) {
|
||||
perror("ioctl recv");
|
||||
goto out_resp;
|
||||
|
@ -3158,7 +3158,18 @@ TEST(user_notification_basic)
|
||||
EXPECT_GT(poll(&pollfd, 1, -1), 0);
|
||||
EXPECT_EQ(pollfd.revents, POLLIN);
|
||||
|
||||
/* Test that we can't pass garbage to the kernel. */
|
||||
memset(&req, 0, sizeof(req));
|
||||
req.pid = -1;
|
||||
errno = 0;
|
||||
ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);
|
||||
EXPECT_EQ(-1, ret);
|
||||
EXPECT_EQ(EINVAL, errno);
|
||||
|
||||
if (ret) {
|
||||
req.pid = 0;
|
||||
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
|
||||
}
|
||||
|
||||
pollfd.fd = listener;
|
||||
pollfd.events = POLLIN | POLLOUT;
|
||||
@ -3278,6 +3289,7 @@ TEST(user_notification_signal)
|
||||
|
||||
close(sk_pair[1]);
|
||||
|
||||
memset(&req, 0, sizeof(req));
|
||||
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
|
||||
|
||||
EXPECT_EQ(kill(pid, SIGUSR1), 0);
|
||||
@ -3296,6 +3308,7 @@ TEST(user_notification_signal)
|
||||
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);
|
||||
EXPECT_EQ(errno, ENOENT);
|
||||
|
||||
memset(&req, 0, sizeof(req));
|
||||
EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);
|
||||
|
||||
resp.id = req.id;
|
||||
|
Loading…
Reference in New Issue
Block a user