Commit bf6dd9a5 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'seccomp-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 

Pull seccomp fixes from Kees Cook:
 "Fixes for seccomp_notify_ioctl uapi sanity from Sargun Dhillon.

  The bulk of this is fixing the surrounding samples and selftests so
  that seccomp can correctly validate the seccomp_notify_ioctl buffer as
  being initially zeroed.

  Summary:

   - Fix samples and selftests to zero passed-in buffer

   - Enforce zeroed buffer checking

   - Verify buffer sanity check in selftest"

* tag 'seccomp-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV
  seccomp: Check that seccomp_notif is zeroed out by the user
  selftests/seccomp: Zero out seccomp_notif
  samples/seccomp: Zero out members based on seccomp_notif_sizes
parents 278b14eb e4ab5ccc

kernel/seccomp.c

+7 −0
Original line number Diff line number Diff line
@@ -1026,6 +1026,13 @@ static long seccomp_notify_recv(struct seccomp_filter *filter, 
	struct seccomp_notif unotif;

	ssize_t ret;



	/* Verify that we're not given garbage to keep struct extensible. */

	ret = check_zeroed_user(buf, sizeof(unotif));

	if (ret < 0)

		return ret;

	if (!ret)

		return -EINVAL;



	memset(&unotif, 0, sizeof(unotif));



	ret = down_interruptible(&filter->notif->request);

samples/seccomp/user-trap.c

+2 −2
Original line number Diff line number Diff line
@@ -298,14 +298,14 @@ int main(void) 
		req = malloc(sizes.seccomp_notif);

		if (!req)

			goto out_close;

		memset(req, 0, sizeof(*req));



		resp = malloc(sizes.seccomp_notif_resp);

		if (!resp)

			goto out_req;

		memset(resp, 0, sizeof(*resp));

		memset(resp, 0, sizes.seccomp_notif_resp);



		while (1) {

			memset(req, 0, sizes.seccomp_notif);

			if (ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, req)) {

				perror("ioctl recv");

				goto out_resp;

tools/testing/selftests/seccomp/seccomp_bpf.c

+14 −1
Original line number Diff line number Diff line
@@ -3158,7 +3158,18 @@ TEST(user_notification_basic) 
	EXPECT_GT(poll(&pollfd, 1, -1), 0);

	EXPECT_EQ(pollfd.revents, POLLIN);



	/* Test that we can't pass garbage to the kernel. */

	memset(&req, 0, sizeof(req));

	req.pid = -1;

	errno = 0;

	ret = ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req);

	EXPECT_EQ(-1, ret);

	EXPECT_EQ(EINVAL, errno);



	if (ret) {

		req.pid = 0;

		EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);

	}



	pollfd.fd = listener;

	pollfd.events = POLLIN | POLLOUT;
@@ -3278,6 +3289,7 @@ TEST(user_notification_signal) 


	close(sk_pair[1]);



	memset(&req, 0, sizeof(req));

	EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);



	EXPECT_EQ(kill(pid, SIGUSR1), 0);
@@ -3296,6 +3308,7 @@ TEST(user_notification_signal) 
	EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_SEND, &resp), -1);

	EXPECT_EQ(errno, ENOENT);



	memset(&req, 0, sizeof(req));

	EXPECT_EQ(ioctl(listener, SECCOMP_IOCTL_NOTIF_RECV, &req), 0);



	resp.id = req.id;

CRA Git | Maintained and supported by SUSTech CRA and CCSE