On Fri, Aug 14, 2015 at 10:45:07AM -0700, Greg Kroah-Hartman wrote: > 3.14-stable review patch. If anyone has any objections, please let me know. > These 3 patches seem to be relevant to other stable trees as well. I'm queuing them for the 3.16 kernel. Cheers, -- Luís > ------------------ > > From: Amanieu d'Antras <amanieu@xxxxxxxxx> > > commit 3ead7c52bdb0ab44f4bb1feed505a8323cc12ba7 upstream. > > This function may copy the si_addr_lsb field to user mode when it hasn't > been initialized, which can leak kernel stack data to user mode. > > Just checking the value of si_code is insufficient because the same > si_code value is shared between multiple signals. This is solved by > checking the value of si_signo in addition to si_code. > > Signed-off-by: Amanieu d'Antras <amanieu@xxxxxxxxx> > Cc: Oleg Nesterov <oleg@xxxxxxxxxx> > Cc: Ingo Molnar <mingo@xxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > fs/signalfd.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > --- a/fs/signalfd.c > +++ b/fs/signalfd.c > @@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct sign > * Other callers might not initialize the si_lsb field, > * so check explicitly for the right codes here. > */ > - if (kinfo->si_code == BUS_MCEERR_AR || > - kinfo->si_code == BUS_MCEERR_AO) > + if (kinfo->si_signo == SIGBUS && > + (kinfo->si_code == BUS_MCEERR_AR || > + kinfo->si_code == BUS_MCEERR_AO)) > err |= __put_user((short) kinfo->si_addr_lsb, > &uinfo->ssi_addr_lsb); > #endif > > > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html