This is a note to let you know that I've just added the patch titled
lib/syscall: Clear return values when no stack
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
lib-syscall-clear-return-values-when-no-stack.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 854fbd6e5f60fe99e8e3a569865409fca378f143 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Thu, 23 Mar 2017 15:46:16 -0700
Subject: lib/syscall: Clear return values when no stack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Kees Cook <keescook@xxxxxxxxxxxx>
commit 854fbd6e5f60fe99e8e3a569865409fca378f143 upstream.
Commit:
aa1f1a639621 ("lib/syscall: Pin the task stack in collect_syscall()")
... added logic to handle a process stack not existing, but left sp and pc
uninitialized, which can be later reported via /proc/$pid/syscall for zombie
processes, potentially exposing kernel memory to userspace.
Zombie /proc/$pid/syscall before:
-1 0xffffffff9a060100 0xffff92f42d6ad900
Zombie /proc/$pid/syscall after:
-1 0x0 0x0
Reported-by: Robert Święcki <robert@xxxxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Andy Lutomirski <luto@xxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Brian Gerst <brgerst@xxxxxxxxx>
Cc: Denys Vlasenko <dvlasenk@xxxxxxxxxx>
Cc: H. Peter Anvin <hpa@xxxxxxxxx>
Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Fixes: aa1f1a639621 ("lib/syscall: Pin the task stack in collect_syscall()")
Link: http://lkml.kernel.org/r/20170323224616.GA92694@beast
Signed-off-by: Ingo Molnar <mingo@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
lib/syscall.c | 1 +
1 file changed, 1 insertion(+)
--- a/lib/syscall.c
+++ b/lib/syscall.c
@@ -11,6 +11,7 @@ static int collect_syscall(struct task_s
if (!try_get_task_stack(target)) {
/* Task has no stack, so the task isn't in a syscall. */
+ *sp = *pc = 0;
*callno = -1;
return 0;
}
Patches currently in stable-queue which might be from keescook@xxxxxxxxxxxx are
queue-4.9/x86-mm-kaslr-exclude-efi-region-from-kaslr-va-space-randomization.patch
queue-4.9/lib-syscall-clear-return-values-when-no-stack.patch