| From 96ca579a1ecc943b75beba58bebb0356f6cc4b51 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Mon, 9 Oct 2017 11:36:52 -0700 |
| Subject: waitid(): Add missing access_ok() checks |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| commit 96ca579a1ecc943b75beba58bebb0356f6cc4b51 upstream. |
| |
| Adds missing access_ok() checks. |
| |
| CVE-2017-5123 |
| |
| Reported-by: Chris Salls <chrissalls5@gmail.com> |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Acked-by: Al Viro <viro@zeniv.linux.org.uk> |
| Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()") |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/exit.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/kernel/exit.c |
| +++ b/kernel/exit.c |
| @@ -1611,6 +1611,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_ |
| if (!infop) |
| return err; |
| |
| + if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) |
| + goto Efault; |
| + |
| user_access_begin(); |
| unsafe_put_user(signo, &infop->si_signo, Efault); |
| unsafe_put_user(0, &infop->si_errno, Efault); |
| @@ -1736,6 +1739,9 @@ COMPAT_SYSCALL_DEFINE5(waitid, |
| if (!infop) |
| return err; |
| |
| + if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) |
| + goto Efault; |
| + |
| user_access_begin(); |
| unsafe_put_user(signo, &infop->si_signo, Efault); |
| unsafe_put_user(0, &infop->si_errno, Efault); |