This is a note to let you know that I've just added the patch titled prctl: fix PR_SET_MM_AUXV kernel stack leak to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit a1fd7d2e22b7f94b9bc2e83180d2880a0974b89a Author: Alexey Dobriyan <adobriyan@xxxxxxxxx> Date: Sun Mar 14 23:51:14 2021 +0300 prctl: fix PR_SET_MM_AUXV kernel stack leak [ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] Doing a prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); will copy 1 byte from userspace to (quite big) on-stack array and then stash everything to mm->saved_auxv. AT_NULL terminator will be inserted at the very end. /proc/*/auxv handler will find that AT_NULL terminator and copy original stack contents to userspace. This devious scheme requires CAP_SYS_RESOURCE. Signed-off-by: Alexey Dobriyan <adobriyan@xxxxxxxxx> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/kernel/sys.c b/kernel/sys.c index baf60a3aa34b..81ed6023d01b 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2069,7 +2069,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, * up to the caller to provide sane values here, otherwise userspace * tools which use this vector might be unhappy. */ - unsigned long user_auxv[AT_VECTOR_SIZE]; + unsigned long user_auxv[AT_VECTOR_SIZE] = {}; if (len > sizeof(user_auxv)) return -EINVAL;