• Amanieu d'Antras's avatar
    signal: fix information leak in copy_siginfo_from_user32 · a209694c
    Amanieu d'Antras authored
    commit 3c00cb5e upstream.
    
    This function can leak kernel stack data when the user siginfo_t has a
    positive si_code value.  The top 16 bits of si_code descibe which fields
    in the siginfo_t union are active, but they are treated inconsistently
    between copy_siginfo_from_user32, copy_siginfo_to_user32 and
    copy_siginfo_to_user.
    
    copy_siginfo_from_user32 is called from rt_sigqueueinfo and
    rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
    of si_code.
    
    This fixes the following information leaks:
    x86:   8 bytes leaked when sending a signal from a 32-bit process to
           itself. This leak grows to 16 bytes if the process uses x32.
           (si_code = __SI_CHLD)
    x86:   100 bytes leaked when sending a signal from a 32-bit process to
           a 64-bit process. (si_code = -1)
    sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
           64-bit process. (si_code = any)
    
    parsic and s390 have similar bugs, but they are not vulnerable because
    rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
    to a different process.  These bugs are also fixed for consistency.
    Signed-off-by: default avatarAmanieu d'Antras <amanieu@gmail.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Russell King <rmk@arm.linux.org.uk>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Chris Metcalf <cmetcalf@ezchip.com>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    a209694c
signal32.c 14.8 KB