mirror of
https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
synced 2024-11-01 02:21:16 +00:00
a6bb935312
commit 3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 upstream.
This function can leak kernel stack data when the user siginfo_t has a
positive si_code value. The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.
copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.
This fixes the following information leaks:
x86: 8 bytes leaked when sending a signal from a 32-bit process to
itself. This leak grows to 16 bytes if the process uses x32.
(si_code = __SI_CHLD)
x86: 100 bytes leaked when sending a signal from a 32-bit process to
a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
64-bit process. (si_code = any)
parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
to a different process. These bugs are also fixed for consistency.
Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|---|---|---|
| .. | ||
| .gitignore | ||
| 8250-platform.c | ||
| asm-offsets.c | ||
| binfmt_elfn32.c | ||
| binfmt_elfo32.c | ||
| bmips_vec.S | ||
| branch.c | ||
| cevt-bcm1480.c | ||
| cevt-ds1287.c | ||
| cevt-gic.c | ||
| cevt-gt641xx.c | ||
| cevt-r4k.c | ||
| cevt-sb1250.c | ||
| cevt-smtc.c | ||
| cevt-txx9.c | ||
| cpu-bugs64.c | ||
| cpu-probe.c | ||
| crash.c | ||
| crash_dump.c | ||
| csrc-bcm1480.c | ||
| csrc-gic.c | ||
| csrc-ioasic.c | ||
| csrc-powertv.c | ||
| csrc-r4k.c | ||
| csrc-sb1250.c | ||
| early_printk.c | ||
| entry.S | ||
| ftrace.c | ||
| genex.S | ||
| gpio_txx9.c | ||
| head.S | ||
| i8253.c | ||
| i8259.c | ||
| idle.c | ||
| irq-gic.c | ||
| irq-gt641xx.c | ||
| irq-msc01.c | ||
| irq-rm7000.c | ||
| irq.c | ||
| irq_cpu.c | ||
| irq_txx9.c | ||
| jump_label.c | ||
| kgdb.c | ||
| kprobes.c | ||
| linux32.c | ||
| machine_kexec.c | ||
| Makefile | ||
| mcount.S | ||
| mips-mt-fpaff.c | ||
| mips-mt.c | ||
| mips_ksyms.c | ||
| mips_machine.c | ||
| module-rela.c | ||
| module.c | ||
| octeon_switch.S | ||
| perf_event.c | ||
| perf_event_mipsxx.c | ||
| proc.c | ||
| process.c | ||
| prom.c | ||
| ptrace.c | ||
| ptrace32.c | ||
| r4k_fpu.S | ||
| r4k_switch.S | ||
| r2300_fpu.S | ||
| r2300_switch.S | ||
| r6000_fpu.S | ||
| relocate_kernel.S | ||
| reset.c | ||
| rtlx.c | ||
| scall32-o32.S | ||
| scall64-64.S | ||
| scall64-n32.S | ||
| scall64-o32.S | ||
| setup.c | ||
| signal-common.h | ||
| signal.c | ||
| signal32.c | ||
| signal_n32.c | ||
| smp-bmips.c | ||
| smp-cmp.c | ||
| smp-mt.c | ||
| smp-up.c | ||
| smp.c | ||
| smtc-asm.S | ||
| smtc-proc.c | ||
| smtc.c | ||
| spinlock_test.c | ||
| spram.c | ||
| stacktrace.c | ||
| sync-r4k.c | ||
| syscall.c | ||
| time.c | ||
| topology.c | ||
| traps.c | ||
| unaligned.c | ||
| vdso.c | ||
| vmlinux.lds.S | ||
| vpe.c | ||
| watch.c | ||