• Kees Cook's avatar
    signal: always clear sa_restorer on execve · 2ca39528
    Kees Cook authored
    When the new signal handlers are set up, the location of sa_restorer is
    not cleared, leaking a parent process's address space location to
    children.  This allows for a potential bypass of the parent's ASLR by
    examining the sa_restorer value returned when calling sigaction().
    
    Based on what should be considered "secret" about addresses, it only
    matters across the exec not the fork (since the VMAs haven't changed
    until the exec).  But since exec sets SIG_DFL and keeps sa_restorer,
    this is where it should be fixed.
    
    Given the few uses of sa_restorer, a "set" function was not written
    since this would be the only use.  Instead, we use
    __ARCH_HAS_SA_RESTORER, as already done in other places.
    
    Example of the leak before applying this patch:
    
      $ cat /proc/$$/maps
      ...
      7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
      ...
      $ ./leak
      ...
      7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
      ...
      1 0 (nil) 0x7fb9f30b94a0
      2 4000000 (nil) 0x7f278bcaa4a0
      3 4000000 (nil) 0x7f278bcaa4a0
      4 0 (nil) 0x7fb9f30b94a0
      ...
    
    [akpm@linux-foundation.org: use SA_RESTORER for backportability]
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reported-by: default avatarEmese Revfy <re.emese@gmail.com>
    Cc: Emese Revfy <re.emese@gmail.com>
    Cc: PaX Team <pageexec@freemail.hu>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Serge Hallyn <serge.hallyn@canonical.com>
    Cc: Julien Tinnes <jln@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    2ca39528
signal.c 94.8 KB