prctl: fix PR_SET_MM_AUXV kernel stack leak

Doing a prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); will copy 1 byte from userspace to (quite big) on-stack array and then stash everything to mm->saved_auxv. AT_NULL terminator will be inserted at the very end. /proc/*/auxv handler will find that AT_NULL terminator and copy original stack contents to userspace. This devious scheme requires CAP_SYS_RESOURCE. Signed-off-by: N Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

prctl: fix PR_SET_MM_AUXV kernel stack leak
Doing a prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); will copy 1 byte from userspace to (quite big) on-stack array and then stash everything to mm->saved_auxv. AT_NULL terminator will be inserted at the very end. /proc/*/auxv handler will find that AT_NULL terminator and copy original stack contents to userspace. This devious scheme requires CAP_SYS_RESOURCE. Signed-off-by: N Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
c995f12a · Alexey Dobriyan · Linus Torvalds · 70404fe3 · c995f12a
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

kernel/sys.c kernel/sys.c +1 -1

未找到文件。
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2079,7 +2079,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr,
 	 * up to the caller to provide sane values here, otherwise userspace
 	 * tools which use this vector might be unhappy.
 	 */
-	unsigned long user_auxv[AT_VECTOR_SIZE];
+	unsigned long user_auxv[AT_VECTOR_SIZE] = {};
 	if (len > sizeof(user_auxv))
 		return -EINVAL;