korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-03 17:14:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
3c00cb5e68
linux/arch
History
Amanieu d'Antras 3c00cb5e68 signal: fix information leak in copy_siginfo_from_user32 
This function can leak kernel stack data when the user siginfo_t has a
positive si_code value.  The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.

copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.

This fixes the following information leaks:
x86:   8 bytes leaked when sending a signal from a 32-bit process to
       itself. This leak grows to 16 bytes if the process uses x32.
       (si_code = __SI_CHLD)
x86:   100 bytes leaked when sending a signal from a 32-bit process to
       a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
       64-bit process. (si_code = any)

parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
to a different process.  These bugs are also fixed for consistency.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-08-07 04:39:40 +03:00
..
alpha mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
arc mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
arm ARM: SoC fixes 2015-08-02 09:12:46 -07:00
arm64 signal: fix information leak in copy_siginfo_from_user32 2015-08-07 04:39:40 +03:00
avr32 avr32: handle NULL as a valid clock object 2015-07-27 09:14:07 +02:00
blackfin mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
c6x mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
cris mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
frv mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
h8300 mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
hexagon mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
ia64 mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
m32r m32r: Add ioreadXX/iowriteXX big-endian mmio accessors 2015-07-23 18:08:28 -07:00
m68k mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
metag mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
microblaze mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
mips signal: fix information leak in copy_siginfo_from_user32 2015-08-07 04:39:40 +03:00
mn10300 mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
nios2 mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
openrisc mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
parisc parisc: mm: Fix a memory leak related to pmd not attached to the pgd 2015-07-19 08:56:14 +02:00
powerpc signal: fix information leak in copy_siginfo_from_user32 2015-08-07 04:39:40 +03:00
s390 Just two very small & simple patches. 2015-08-05 18:50:38 +03:00
score mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
sh mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
sparc mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
tile signal: fix information leak in copy_siginfo_from_user32 2015-08-07 04:39:40 +03:00
um mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
unicore32 mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
x86 Just two very small & simple patches. 2015-08-05 18:50:38 +03:00
xtensa mm: clean up per architecture MM hook header files 2015-07-17 16:39:53 -07:00
.gitignore
Kconfig x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86 2015-07-18 03:42:51 +02:00