And here is the x86 one. I haven't found others so far but I haven't
checked other architectures and I might have missed some callpaths for
x86 as well. Also please note this hasn't been tested properly and
it is based on the code reading.
---
>From fa8e84058c243f81a49c847624daaf935efdeb5a Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@xxxxxxxx>
Date: Mon, 23 May 2016 15:47:28 +0200
Subject: [PATCH] x86: fix potential memleak in do_error_trap
do_error_trap defines on stack siginfo structure which is then sent down
to do_trap -> force_sig_info without initializing it. __send_signal ->
copy_siginfo will copy the content for later use when the signal is
dequeued. This information might later leak into userspace. Fix it by
clearing the whole siginfo in do_error_trap before sending it to
do_trap.
Signed-off-by: Michal Hocko <mhocko@xxxxxxxx>
---
arch/x86/kernel/traps.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index d1590486204a..945b4dfc02e6 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -271,6 +271,7 @@ static void do_error_trap(struct pt_regs *regs, long error_code, char *str,
if (notify_die(DIE_TRAP, str, regs, error_code, trapnr, signr) !=
NOTIFY_STOP) {
+ memset(&info, 0, sizeof(info));
cond_local_irq_enable(regs);
do_trap(trapnr, signr, str, regs, error_code,
fill_trap_info(regs, signr, trapnr, &info));
--
2.8.1
--
Michal Hocko
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
