| From fa8342f055d6251e4ea205d8f3bc01e7e646b8d7 Mon Sep 17 00:00:00 2001 |
| From: Sargun Dhillon <sargun@sargun.me> |
| Date: Mon, 30 Dec 2019 12:35:03 -0800 |
| Subject: [PATCH] samples/seccomp: Zero out members based on |
| seccomp_notif_sizes |
| |
| commit 771b894f2f3dfedc2ba5561731fffa0e39b1bbb6 upstream. |
| |
| The sizes by which seccomp_notif and seccomp_notif_resp are allocated are |
| based on the SECCOMP_GET_NOTIF_SIZES ioctl. This allows for graceful |
| extension of these datastructures. If userspace zeroes out the |
| datastructure based on its version, and it is lagging behind the kernel's |
| version, it will end up sending trailing garbage. On the other hand, |
| if it is ahead of the kernel version, it will write extra zero space, |
| and potentially cause corruption. |
| |
| Signed-off-by: Sargun Dhillon <sargun@sargun.me> |
| Suggested-by: Tycho Andersen <tycho@tycho.ws> |
| Link: https://lore.kernel.org/r/20191230203503.4925-1-sargun@sargun.me |
| Fixes: fec7b6690541 ("samples: add an example of seccomp user trap") |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/samples/seccomp/user-trap.c b/samples/seccomp/user-trap.c |
| index 6d0125ca8af7..20291ec6489f 100644 |
| --- a/samples/seccomp/user-trap.c |
| +++ b/samples/seccomp/user-trap.c |
| @@ -298,14 +298,14 @@ int main(void) |
| req = malloc(sizes.seccomp_notif); |
| if (!req) |
| goto out_close; |
| - memset(req, 0, sizeof(*req)); |
| |
| resp = malloc(sizes.seccomp_notif_resp); |
| if (!resp) |
| goto out_req; |
| - memset(resp, 0, sizeof(*resp)); |
| + memset(resp, 0, sizes.seccomp_notif_resp); |
| |
| while (1) { |
| + memset(req, 0, sizes.seccomp_notif); |
| if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) { |
| perror("ioctl recv"); |
| goto out_resp; |
| -- |
| 2.7.4 |
| |