Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/kernel
History
Kees Cook 44ddae4227 signal: always clear sa_restorer on execve 
commit 2ca39528c0 upstream.

When the new signal handlers are set up, the location of sa_restorer is
not cleared, leaking a parent process's address space location to
children.  This allows for a potential bypass of the parent's ASLR by
examining the sa_restorer value returned when calling sigaction().

Based on what should be considered "secret" about addresses, it only
matters across the exec not the fork (since the VMAs haven't changed
until the exec).  But since exec sets SIG_DFL and keeps sa_restorer,
this is where it should be fixed.

Given the few uses of sa_restorer, a "set" function was not written
since this would be the only use.  Instead, we use
__ARCH_HAS_SA_RESTORER, as already done in other places.

Example of the leak before applying this patch:

  $ cat /proc/$$/maps
  ...
  7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
  ...
  $ ./leak
  ...
  7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
  ...
  1 0 (nil) 0x7fb9f30b94a0
  2 4000000 (nil) 0x7f278bcaa4a0
  3 4000000 (nil) 0x7f278bcaa4a0
  4 0 (nil) 0x7fb9f30b94a0
  ...

[akpm@linux-foundation.org: use SA_RESTORER for backportability]
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Julien Tinnes <jln@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-20 13:04:58 -07:00
..
debug kdb,vt_console: Fix missed data due to pager overruns 2012-10-21 09:27:59 -07:00
events perf_event: Switch to internal refcount, fix race with close() 2012-10-02 10:29:54 -07:00
gcov
irq genirq: Avoid deadlock in spurious handling 2013-02-28 06:58:58 -08:00
power ftrace: Disable function tracing during suspend/resume and hibernation, again 2012-08-09 08:31:29 -07:00
sched sched/rt: Use root_domain of rt_rq not current processor 2013-02-11 08:47:18 -08:00
time timekeeping: Cast raw_interval to u64 to avoid shift overflow 2012-12-03 11:47:23 -08:00
trace ftrace: Update the kconfig for DYNAMIC_FTRACE 2013-03-14 11:29:51 -07:00
.gitignore
acct.c
async.c Fix a dead loop in async_synchronize_full() 2012-10-02 10:30:35 -07:00
audit.c constify path argument of audit_log_d_path() 2012-03-20 21:29:40 -04:00
audit.h
audit_tree.c audit: fix refcounting in audit-tree 2012-09-14 10:00:18 -07:00
audit_watch.c
auditfilter.c
auditsc.c
backtracetest.c
bounds.c
capability.c
cgroup.c cgroup: fix exit() vs rmdir() race 2013-03-04 06:06:44 +08:00
cgroup_freezer.c
compat.c compat: Fix RT signal mask corruption via sigprocmask 2012-05-10 08:58:33 -07:00
configs.c
cpu.c
cpu_pm.c
cpuset.c cpuset: fix cpuset_print_task_mems_allowed() vs rename() race 2013-03-04 06:06:44 +08:00
crash_dump.c
cred.c cred: copy_process() should clear child->replacement_session_keyring 2012-04-11 08:20:11 -07:00
delayacct.c
dma.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
elfcore.c
exec_domain.c
exit.c posix_types.h: Cleanup stale __NFDBITS and related definitions 2012-08-09 08:31:39 -07:00
extable.c
fork.c mm/fork: fix overflow in vma length when copying mmap on clone 2012-06-10 00:36:06 +09:00
freezer.c PM / Freezer: Remove references to TIF_FREEZE in comments 2012-03-04 23:08:54 +01:00
futex.c futex: Revert "futex: Mark get_robust_list as deprecated" 2013-02-28 06:59:01 -08:00
futex_compat.c futex: Revert "futex: Mark get_robust_list as deprecated" 2013-02-28 06:59:01 -08:00
groups.c
hrtimer.c hrtimer: Prevent hrtimer_enqueue_reprogram race 2013-02-28 06:58:59 -08:00
hung_task.c hung_task: fix the broken rcu_lock_break() logic 2012-03-05 15:49:42 -08:00
irq_work.c irq_work: fix compile failure on tile from missing include 2012-04-13 13:15:16 -04:00
itimer.c itimer: Use printk_once instead of WARN_ONCE 2012-04-10 11:00:30 +02:00
jump_label.c static keys: Inline the static_key_enabled() function 2012-02-28 20:01:08 +01:00
kallsyms.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks locking/kconfig: Simplify INLINE_SPIN_UNLOCK usage 2012-03-23 13:18:57 +01:00
Kconfig.preempt locking/kconfig: Simplify INLINE_SPIN_UNLOCK usage 2012-03-23 13:18:57 +01:00
kexec.c Merge branch 'akpm' (Andrew's patch-bomb) 2012-03-28 17:19:28 -07:00
kfifo.c
kmod.c PM / Sleep: Mitigate race between the freezer and request_firmware() 2012-03-28 23:30:28 +02:00
kprobes.c kprobes: return proper error code from register_kprobe() 2012-03-05 15:49:42 -08:00
ksysfs.c
kthread.c kthread_worker: reimplement flush_kthread_work() to allow freeing the work item being executed 2012-10-02 10:30:40 -07:00
latencytop.c
lockdep.c lockdep: Add CPU-idle/offline warning to lockdep-RCU splat 2012-02-21 09:06:06 -08:00
lockdep_internals.h
lockdep_proc.c
lockdep_states.h
Makefile
module.c module: fix out-by-one error in kallsyms 2012-11-26 11:37:41 -08:00
mutex-debug.c
mutex-debug.h
mutex.c sched/rt: Use schedule_preempt_disabled() 2012-03-01 10:28:03 +01:00
mutex.h
notifier.c
nsproxy.c
padata.c padata: Fix cpu hotplug 2012-03-29 19:52:46 +08:00
panic.c kdump: Execute kmsg_dump(KMSG_DUMP_PANIC) after smp_send_stop() 2012-06-22 11:36:56 -07:00
params.c params: <level>_initcall-like kernel parameters 2012-03-26 12:50:51 +10:30
pid.c vfs: fix panic in __d_lookup() with high dentry hashtable counts 2012-02-13 20:45:38 -05:00
pid_namespace.c pidns: add reboot_pid_ns() to handle the reboot syscall 2012-03-28 17:14:36 -07:00
posix-cpu-timers.c posix-cpu-timers: Fix nanosleep task_struct leak 2013-02-28 06:58:59 -08:00
posix-timers.c posix-timer: Don't call idr_find() with out-of-range ID 2013-03-04 06:06:38 +08:00
printk.c printk: fix buffer overflow when calling log_prefix function from call_console_drivers 2013-02-21 10:04:57 -08:00
profile.c
ptrace.c ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL 2013-01-27 20:47:43 -08:00
range.c
rcu.h rcu: Allow nesting of rcu_idle_enter() and rcu_idle_exit() 2012-02-21 09:06:12 -08:00
rcupdate.c rcu: Check for illegal use of RCU from offlined CPUs 2012-02-21 09:06:03 -08:00
rcutiny.c rcu: Add RCU_NONIDLE() for idle-loop RCU read-side critical sections 2012-02-21 09:06:13 -08:00
rcutiny_plugin.h rcu: Simplify unboosting checks 2012-02-21 09:03:43 -08:00
rcutorture.c PTR_ERR should be called before its argument is cleared. 2012-02-21 09:06:10 -08:00
rcutree.c rcu: Fix batch-limit size problem 2012-12-17 10:37:46 -08:00
rcutree.h rcu: Rework detection of use of RCU by offline CPUs 2012-02-21 09:06:07 -08:00
rcutree_plugin.h rcu: Hold off RCU_FAST_NO_HZ after timer posted 2012-02-21 09:42:30 -08:00
rcutree_trace.c rcu: Rework detection of use of RCU by offline CPUs 2012-02-21 09:06:07 -08:00
relay.c splice: fix racy pipe->buffers uses 2012-07-16 09:04:42 -07:00
res_counter.c
resource.c kernel/resource.c: fix stack overflow in __reserve_region_with_split() 2013-02-14 10:48:53 -08:00
rtmutex-debug.c
rtmutex-debug.h
rtmutex-tester.c
rtmutex.c
rtmutex.h
rtmutex_common.h
rwsem.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
seccomp.c
semaphore.c
signal.c signal: always clear sa_restorer on execve 2013-03-20 13:04:58 -07:00
smp.c smp: Fix SMP function call empty cpu mask race 2013-02-03 18:24:42 -06:00
softirq.c Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-20 10:32:09 -07:00
spinlock.c locking/kconfig: Simplify INLINE_SPIN_UNLOCK usage 2012-03-23 13:18:57 +01:00
srcu.c rcu: Call out dangers of expedited RCU primitives 2012-02-21 09:06:08 -08:00
stacktrace.c
stop_machine.c
sys.c use clamp_t in UNAME26 fix 2012-10-28 10:14:13 -07:00
sys_ni.c
sysctl.c sysctl: fix write access to dmesg_restrict/kptr_restrict 2012-04-05 14:51:43 +10:00
sysctl_binary.c sysctl: fix null checking in bin_dn_node_address() 2013-03-04 06:06:41 +08:00
taskstats.c
test_kprobes.c
time.c time: Remove bogus comments 2012-03-15 18:17:55 -07:00
timeconst.pl timeconst.pl: Eliminate Perl warning 2013-02-28 06:58:58 -08:00
timer.c timers: Fix endless looping between cascade() and internal_add_timer() 2012-10-21 09:27:59 -07:00
tracepoint.c static keys: Introduce 'struct static_key', static_key_true()/false() and static_key_slow_[inc|dec]() 2012-02-24 10:05:59 +01:00
tsacct.c
uid16.c
up.c
user-return-notifier.c
user.c
user_namespace.c
utsname.c
utsname_sysctl.c
wait.c
watchdog.c watchdog: using u64 in get_sample_period() 2012-12-03 11:47:17 -08:00
workqueue.c workqueue: convert BUG_ON()s in __queue_delayed_work() to WARN_ON_ONCE()s 2012-12-17 10:37:43 -08:00
workqueue_sched.h