| From b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 Mon Sep 17 00:00:00 2001 |
| From: Andi Kleen <andi@firstfloor.org> |
| Date: Fri, 8 Jan 2010 14:42:52 -0800 |
| Subject: kernel/signal.c: fix kernel information leak with print-fatal-signals=1 |
| |
| From: Andi Kleen <andi@firstfloor.org> |
| |
| commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. |
| |
| When print-fatal-signals is enabled it's possible to dump any memory |
| reachable by the kernel to the log by simply jumping to that address from |
| user space. |
| |
| Or crash the system if there's some hardware with read side effects. |
| |
| The fatal signals handler will dump 16 bytes at the execution address, |
| which is fully controlled by ring 3. |
| |
| In addition when something jumps to a unmapped address there will be up to |
| 16 additional useless page faults, which might be potentially slow (and at |
| least is not very efficient) |
| |
| Fortunately this option is off by default and only there on i386. |
| |
| But fix it by checking for kernel addresses and also stopping when there's |
| a page fault. |
| |
| Signed-off-by: Andi Kleen <ak@linux.intel.com> |
| Cc: Ingo Molnar <mingo@elte.hu> |
| Cc: Oleg Nesterov <oleg@redhat.com> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| kernel/signal.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/kernel/signal.c |
| +++ b/kernel/signal.c |
| @@ -884,7 +884,8 @@ static void print_fatal_signal(struct pt |
| for (i = 0; i < 16; i++) { |
| unsigned char insn; |
| |
| - __get_user(insn, (unsigned char *)(regs->ip + i)); |
| + if (get_user(insn, (unsigned char *)(regs->ip + i))) |
| + break; |
| printk("%02x ", insn); |
| } |
| } |