• A
    signal: fix information leak in copy_siginfo_from_user32 · 3c00cb5e
    Amanieu d'Antras 提交于
    This function can leak kernel stack data when the user siginfo_t has a
    positive si_code value.  The top 16 bits of si_code descibe which fields
    in the siginfo_t union are active, but they are treated inconsistently
    between copy_siginfo_from_user32, copy_siginfo_to_user32 and
    copy_siginfo_to_user.
    
    copy_siginfo_from_user32 is called from rt_sigqueueinfo and
    rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
    of si_code.
    
    This fixes the following information leaks:
    x86:   8 bytes leaked when sending a signal from a 32-bit process to
           itself. This leak grows to 16 bytes if the process uses x32.
           (si_code = __SI_CHLD)
    x86:   100 bytes leaked when sending a signal from a 32-bit process to
           a 64-bit process. (si_code = -1)
    sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
           64-bit process. (si_code = any)
    
    parsic and s390 have similar bugs, but they are not vulnerable because
    rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
    to a different process.  These bugs are also fixed for consistency.
    Signed-off-by: NAmanieu d'Antras <amanieu@gmail.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Russell King <rmk@arm.linux.org.uk>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Chris Metcalf <cmetcalf@ezchip.com>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
    3c00cb5e
signal_32.c 43.5 KB