[Lucid][CVE-2013-2141] kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
Luis Henriques
luis.henriques at canonical.com
Thu Jun 20 11:31:29 UTC 2013
From: Emese Revfy <re.emese at gmail.com>
BugLink: https://bugs.launchpad.net/bugs/1187732
CVE-2013-2141
This fixes a kernel memory contents leak via the tkill and tgkill syscalls
for compat processes.
This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
when handling signals delivered from tkill.
The place of the infoleak:
int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
{
...
put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
...
}
Signed-off-by: Emese Revfy <re.emese at gmail.com>
Reviewed-by: PaX Team <pageexec at freemail.hu>
Signed-off-by: Kees Cook <keescook at chromium.org>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg at redhat.com>
Cc: "Eric W. Biederman" <ebiederm at xmission.com>
Cc: Serge Hallyn <serge.hallyn at canonical.com>
Cc: <stable at vger.kernel.org>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
kernel/signal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/signal.c b/kernel/signal.c
index 1c6675b..fb7e242 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
static int do_tkill(pid_t tgid, pid_t pid, int sig)
{
- struct siginfo info;
+ struct siginfo info = {};
info.si_signo = sig;
info.si_errno = 0;
--
1.8.1.2
More information about the kernel-team
mailing list