| Message ID | 20221003102921.3973-2-jszhang@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | riscv: entry: further clean up and VMAP_STACK fix | expand |
Reviewed-by: Guo Ren <guoren@kernel.org> On Mon, Oct 3, 2022 at 6:38 PM Jisheng Zhang <jszhang@kernel.org> wrote: > > thread_struct's s[12] may contain random kernel memory content, which > may be finally leaked to userspace. This is a security hole. Fix it > by clearing the s[12] array in thread_struct when fork. > > As for kthread case, it's better to clear the s[12] array as well. > > Fixes: 7db91e57a0ac ("RISC-V: Task implementation") > Signed-off-by: Jisheng Zhang <jszhang@kernel.org> > --- > arch/riscv/kernel/process.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c > index ceb9ebab6558..52002d54b163 100644 > --- a/arch/riscv/kernel/process.c > +++ b/arch/riscv/kernel/process.c > @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) > unsigned long tls = args->tls; > struct pt_regs *childregs = task_pt_regs(p); > > + memset(&p->thread.s, 0, sizeof(p->thread.s)); > + > /* p->thread holds context to be restored by __switch_to() */ > if (unlikely(args->fn)) { > /* Kernel thread */ > -- > 2.37.2 >
diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index ceb9ebab6558..52002d54b163 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) unsigned long tls = args->tls; struct pt_regs *childregs = task_pt_regs(p); + memset(&p->thread.s, 0, sizeof(p->thread.s)); + /* p->thread holds context to be restored by __switch_to() */ if (unlikely(args->fn)) { /* Kernel thread */
thread_struct's s[12] may contain random kernel memory content, which may be finally leaked to userspace. This is a security hole. Fix it by clearing the s[12] array in thread_struct when fork. As for kthread case, it's better to clear the s[12] array as well. Fixes: 7db91e57a0ac ("RISC-V: Task implementation") Signed-off-by: Jisheng Zhang <jszhang@kernel.org> --- arch/riscv/kernel/process.c | 2 ++ 1 file changed, 2 insertions(+)