The patch titled
Subject: signal: fix information leak in copy_siginfo_from_user32
has been added to the -mm tree. Its filename is
signal-fix-information-leak-in-copy_siginfo_from_user32.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/signal-fix-information-leak-in-copy_siginfo_from_user32.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/signal-fix-information-leak-in-copy_siginfo_from_user32.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Amanieu d'Antras <amanieu@xxxxxxxxx>
Subject: signal: fix information leak in copy_siginfo_from_user32
This function can leak kernel stack data when the user siginfo_t has a
positive si_code value. The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.
copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.
This fixes the following information leaks:
x86: 8 bytes leaked when sending a signal from a 32-bit process to
itself. This leak grows to 16 bytes if the process uses x32.
(si_code = __SI_CHLD)
x86: 100 bytes leaked when sending a signal from a 32-bit process to
a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
64-bit process. (si_code = any)
parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code to
a different process. These bugs are also fixed for consistency.
Signed-off-by: Amanieu d'Antras <amanieu@xxxxxxxxx>
Cc: Oleg Nesterov <oleg@xxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: Russell King <rmk@xxxxxxxxxxxxxxxx>
Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx>
Cc: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
Cc: Chris Metcalf <cmetcalf@xxxxxxxxxx>
Cc: Paul Mackerras <paulus@xxxxxxxxx>
Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
arch/arm64/kernel/signal32.c | 2 --
arch/mips/kernel/signal32.c | 2 --
arch/powerpc/kernel/signal_32.c | 2 --
arch/tile/kernel/compat_signal.c | 2 --
kernel/signal.c | 4 ++--
5 files changed, 2 insertions(+), 10 deletions(-)
diff -puN arch/arm64/kernel/signal32.c~signal-fix-information-leak-in-copy_siginfo_from_user32 arch/arm64/kernel/signal32.c
--- a/arch/arm64/kernel/signal32.c~signal-fix-information-leak-in-copy_siginfo_from_user32
+++ a/arch/arm64/kernel/signal32.c
@@ -201,8 +201,6 @@ int copy_siginfo_to_user32(compat_siginf
int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
{
- memset(to, 0, sizeof *to);
-
if (copy_from_user(to, from, __ARCH_SI_PREAMBLE_SIZE) ||
copy_from_user(to->_sifields._pad,
from->_sifields._pad, SI_PAD_SIZE))
diff -puN arch/mips/kernel/signal32.c~signal-fix-information-leak-in-copy_siginfo_from_user32 arch/mips/kernel/signal32.c
--- a/arch/mips/kernel/signal32.c~signal-fix-information-leak-in-copy_siginfo_from_user32
+++ a/arch/mips/kernel/signal32.c
@@ -409,8 +409,6 @@ int copy_siginfo_to_user32(compat_siginf
int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from)
{
- memset(to, 0, sizeof *to);
-
if (copy_from_user(to, from, 3*sizeof(int)) ||
copy_from_user(to->_sifields._pad,
from->_sifields._pad, SI_PAD_SIZE32))
diff -puN arch/powerpc/kernel/signal_32.c~signal-fix-information-leak-in-copy_siginfo_from_user32 arch/powerpc/kernel/signal_32.c
--- a/arch/powerpc/kernel/signal_32.c~signal-fix-information-leak-in-copy_siginfo_from_user32
+++ a/arch/powerpc/kernel/signal_32.c
@@ -966,8 +966,6 @@ int copy_siginfo_to_user32(struct compat
int copy_siginfo_from_user32(siginfo_t *to, struct compat_siginfo __user *from)
{
- memset(to, 0, sizeof *to);
-
if (copy_from_user(to, from, 3*sizeof(int)) ||
copy_from_user(to->_sifields._pad,
from->_sifields._pad, SI_PAD_SIZE32))
diff -puN arch/tile/kernel/compat_signal.c~signal-fix-information-leak-in-copy_siginfo_from_user32 arch/tile/kernel/compat_signal.c
--- a/arch/tile/kernel/compat_signal.c~signal-fix-information-leak-in-copy_siginfo_from_user32
+++ a/arch/tile/kernel/compat_signal.c
@@ -113,8 +113,6 @@ int copy_siginfo_from_user32(siginfo_t *
if (!access_ok(VERIFY_READ, from, sizeof(struct compat_siginfo)))
return -EFAULT;
- memset(to, 0, sizeof(*to));
-
err = __get_user(to->si_signo, &from->si_signo);
err |= __get_user(to->si_errno, &from->si_errno);
err |= __get_user(to->si_code, &from->si_code);
diff -puN kernel/signal.c~signal-fix-information-leak-in-copy_siginfo_from_user32 kernel/signal.c
--- a/kernel/signal.c~signal-fix-information-leak-in-copy_siginfo_from_user32
+++ a/kernel/signal.c
@@ -3017,7 +3017,7 @@ COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo,
int, sig,
struct compat_siginfo __user *, uinfo)
{
- siginfo_t info;
+ siginfo_t info = {};
int ret = copy_siginfo_from_user32(&info, uinfo);
if (unlikely(ret))
return ret;
@@ -3061,7 +3061,7 @@ COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo
int, sig,
struct compat_siginfo __user *, uinfo)
{
- siginfo_t info;
+ siginfo_t info = {};
if (copy_siginfo_from_user32(&info, uinfo))
return -EFAULT;
_
Patches currently in -mm which might be from amanieu@xxxxxxxxx are
signal-fix-information-leak-in-copy_siginfo_from_user32.patch
signal-fix-information-leak-in-copy_siginfo_to_user.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
