未验证 提交 6510c784 编写于 作者: J Jisheng Zhang 提交者: Palmer Dabbelt

riscv: process: fix kernel info leakage

thread_struct's s[12] may contain random kernel memory content, which
may be finally leaked to userspace. This is a security hole. Fix it
by clearing the s[12] array in thread_struct when fork.

As for kthread case, it's better to clear the s[12] array as well.

Fixes: 7db91e57 ("RISC-V: Task implementation")
Signed-off-by: NJisheng Zhang <jszhang@kernel.org>
Tested-by: NGuo Ren <guoren@kernel.org>
Link: https://lore.kernel.org/r/20221029113450.4027-1-jszhang@kernel.orgReviewed-by: NGuo Ren <guoren@kernel.org>
Link: https://lore.kernel.org/r/CAJF2gTSdVyAaM12T%2B7kXAdRPGS4VyuO08X1c7paE-n4Fr8OtRA@mail.gmail.com/Signed-off-by: NPalmer Dabbelt <palmer@rivosinc.com>
上级 8bc8824d
...@@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) ...@@ -164,6 +164,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
unsigned long tls = args->tls; unsigned long tls = args->tls;
struct pt_regs *childregs = task_pt_regs(p); struct pt_regs *childregs = task_pt_regs(p);
memset(&p->thread.s, 0, sizeof(p->thread.s));
/* p->thread holds context to be restored by __switch_to() */ /* p->thread holds context to be restored by __switch_to() */
if (unlikely(args->fn)) { if (unlikely(args->fn)) {
/* Kernel thread */ /* Kernel thread */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册