| From 53a2c271c20b59345891be970a9b7733fd570d9b Mon Sep 17 00:00:00 2001 |
| From: Emese Revfy <re.emese@gmail.com> |
| Date: Wed, 17 Apr 2013 15:58:36 -0700 |
| Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill |
| syscalls |
| |
| commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream. |
| |
| This fixes a kernel memory contents leak via the tkill and tgkill syscalls |
| for compat processes. |
| |
| This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field |
| when handling signals delivered from tkill. |
| |
| The place of the infoleak: |
| |
| int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) |
| { |
| ... |
| put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); |
| ... |
| } |
| |
| Signed-off-by: Emese Revfy <re.emese@gmail.com> |
| Reviewed-by: PaX Team <pageexec@freemail.hu> |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Cc: Al Viro <viro@zeniv.linux.org.uk> |
| Cc: Oleg Nesterov <oleg@redhat.com> |
| Cc: "Eric W. Biederman" <ebiederm@xmission.com> |
| Cc: Serge Hallyn <serge.hallyn@canonical.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| kernel/signal.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/kernel/signal.c b/kernel/signal.c |
| index 4f34db1bb58c..a471e6da5eae 100644 |
| --- a/kernel/signal.c |
| +++ b/kernel/signal.c |
| @@ -2361,7 +2361,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) |
| |
| static int do_tkill(pid_t tgid, pid_t pid, int sig) |
| { |
| - struct siginfo info; |
| + struct siginfo info = {}; |
| |
| info.si_signo = sig; |
| info.si_errno = 0; |
| -- |
| 1.8.5.2 |
| |