releases/2.6.34.15/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-2.6.34 - Git at Google

 From 53a2c271c20b59345891be970a9b7733fd570d9b Mon Sep 17 00:00:00 2001
 From: Emese Revfy <re.emese@gmail.com>
 Date: Wed, 17 Apr 2013 15:58:36 -0700
 Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill
  syscalls

 commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.

 This fixes a kernel memory contents leak via the tkill and tgkill syscalls
 for compat processes.

 This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
 when handling signals delivered from tkill.

 The place of the infoleak:

 int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
 {
         ...
         put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
         ...
 }

 Signed-off-by: Emese Revfy <re.emese@gmail.com>
 Reviewed-by: PaX Team <pageexec@freemail.hu>
 Signed-off-by: Kees Cook <keescook@chromium.org>
 Cc: Al Viro <viro@zeniv.linux.org.uk>
 Cc: Oleg Nesterov <oleg@redhat.com>
 Cc: "Eric W. Biederman" <ebiederm@xmission.com>
 Cc: Serge Hallyn <serge.hallyn@canonical.com>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
 ---
  kernel/signal.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/kernel/signal.c b/kernel/signal.c
 index 4f34db1bb58c..a471e6da5eae 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -2361,7 +2361,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)

  static int do_tkill(pid_t tgid, pid_t pid, int sig)
  {
 -	struct siginfo info;
 +	struct siginfo info = {};

  	info.si_signo = sig;
  	info.si_errno = 0;
 --
 1.8.5.2
	From 53a2c271c20b59345891be970a9b7733fd570d9b Mon Sep 17 00:00:00 2001
	From: Emese Revfy <re.emese@gmail.com>
	Date: Wed, 17 Apr 2013 15:58:36 -0700
	Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill
	syscalls

	commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.

	This fixes a kernel memory contents leak via the tkill and tgkill syscalls
	for compat processes.

	This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
	when handling signals delivered from tkill.

	The place of the infoleak:

	int copy_siginfo_to_user32(compat_siginfo_t __user to, siginfo_t from)
	{
	...
	put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
	...
	}

	Signed-off-by: Emese Revfy <re.emese@gmail.com>
	Reviewed-by: PaX Team <pageexec@freemail.hu>
	Signed-off-by: Kees Cook <keescook@chromium.org>
	Cc: Al Viro <viro@zeniv.linux.org.uk>
	Cc: Oleg Nesterov <oleg@redhat.com>
	Cc: "Eric W. Biederman" <ebiederm@xmission.com>
	Cc: Serge Hallyn <serge.hallyn@canonical.com>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
	---
	kernel/signal.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/kernel/signal.c b/kernel/signal.c
	index 4f34db1bb58c..a471e6da5eae 100644
	--- a/kernel/signal.c
	+++ b/kernel/signal.c
	@@ -2361,7 +2361,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)

	static int do_tkill(pid_t tgid, pid_t pid, int sig)
	{
	- struct siginfo info;
	+ struct siginfo info = {};

	info.si_signo = sig;
	info.si_errno = 0;
	--
	1.8.5.2