Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-10-31 18:09:19 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/arch/mips
History
Amanieu d'Antras a6bb935312 signal: fix information leak in copy_siginfo_from_user32 
commit 3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 upstream.

This function can leak kernel stack data when the user siginfo_t has a
positive si_code value.  The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.

copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.

This fixes the following information leaks:
x86:   8 bytes leaked when sending a signal from a 32-bit process to
       itself. This leak grows to 16 bytes if the process uses x32.
       (si_code = __SI_CHLD)
x86:   100 bytes leaked when sending a signal from a 32-bit process to
       a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
       64-bit process. (si_code = any)

parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
to a different process.  These bugs are also fixed for consistency.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-08-16 20:51:42 -07:00
..
alchemy
ar7
ath79
bcm47xx
bcm63xx
boot MIPS: ZBOOT: add missing <linux/string.h> include 2014-10-05 14:54:10 -07:00
cavium-octeon MIPS: OCTEON: make get_system_type() thread-safe 2014-09-17 09:03:58 -07:00
cobalt
configs
dec
emma
fw
include MIPS: Make set_pte() SMP safe. 2015-08-16 20:51:35 -07:00
jazz
jz4740
kernel signal: fix information leak in copy_siginfo_from_user32 2015-08-16 20:51:42 -07:00
kvm MIPS: KVM: Do not sign extend on unsigned MMIO load 2015-08-03 09:29:47 -07:00
lantiq
lasat
lib
loongson MIPS: Loongson: Make platform serial setup always built-in. 2014-12-06 15:05:46 -08:00
loongson1
math-emu
mm vm: add VM_FAULT_SIGSEGV handling support 2015-04-29 10:34:00 +02:00
mti-malta
mti-sead3
netlogic
oprofile MIPS: oprofile: Fix backtrace on 64-bit kernel 2014-12-06 15:05:46 -08:00
pci
pmcs-msp71xx
pnx833x
power nosave: consolidate __nosave_{begin,end} in <asm/sections.h> 2015-05-06 21:56:28 +02:00
powertv
ralink
rb532
sgi-ip22
sgi-ip27
sgi-ip32
sibyte
sni
txx9
vr41xx
wrppmc
Kbuild
Kbuild.platforms
Kconfig
Kconfig.debug
Makefile