| From 6891c4509c792209c44ced55a60f13954cb50ef4 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Sat, 4 Oct 2014 23:06:39 +0200 |
| Subject: posix-timers: Fix stack info leak in timer_create() |
| |
| From: Mathias Krause <minipli@googlemail.com> |
| |
| commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream. |
| |
| If userland creates a timer without specifying a sigevent info, we'll |
| create one ourself, using a stack local variable. Particularly will we |
| use the timer ID as sival_int. But as sigev_value is a union containing |
| a pointer and an int, that assignment will only partially initialize |
| sigev_value on systems where the size of a pointer is bigger than the |
| size of an int. On such systems we'll copy the uninitialized stack bytes |
| from the timer_create() call to userland when the timer actually fires |
| and we're going to deliver the signal. |
| |
| Initialize sigev_value with 0 to plug the stack info leak. |
| |
| Found in the PaX patch, written by the PaX Team. |
| |
| Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...") |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Oleg Nesterov <oleg@redhat.com> |
| Cc: Brad Spengler <spender@grsecurity.net> |
| Cc: PaX Team <pageexec@freemail.hu> |
| Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com |
| Signed-off-by: Thomas Gleixner <tglx@linutronix.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| kernel/time/posix-timers.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/kernel/time/posix-timers.c |
| +++ b/kernel/time/posix-timers.c |
| @@ -636,6 +636,7 @@ SYSCALL_DEFINE3(timer_create, const cloc |
| goto out; |
| } |
| } else { |
| + memset(&event.sigev_value, 0, sizeof(event.sigev_value)); |
| event.sigev_notify = SIGEV_SIGNAL; |
| event.sigev_signo = SIGALRM; |
| event.sigev_value.sival_int = new_timer->it_id; |
