| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 Jul 2009 15:48:05 -0400
From: Ulrich Drepper <drepper@...hat.com>
To: linux-kernel@...r.kernel.org
Cc: akpm@...ux-foundation.org, torvalds@...ux-foundation.org
Subject: [PATCH] information leak in sigaltstack
Unfortunately the stack_t data structure was defined before people
cared much about 64-bit architectures. It has a hole in the middle.
And this hole is creating an information leak in the sigaltstack
syscall.
When the second parameter to sigaltstack is non-NULL the current stack
information is passed to the caller by filling in the members of the
stack_t structure and then the whole structure is copied using
copy_to_user. This unfortunately leaves the whole after flags
uninitialized.
The following patch should fix the issue.
Signed-off-by: Ulrich Drepper <drepper@...hat.com>
diff --git a/kernel/signal.c b/kernel/signal.c
index ccf1cee..612d6b7 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2455,6 +2455,9 @@ do_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, unsigned long s
int error;
if (uoss) {
+ if (offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags) !=
+ offsetof(stack_t, ss_size))
+ memset(&oss, '\0', sizeof(oss));
oss.ss_sp = (void __user *) current->sas_ss_sp;
oss.ss_size = current->sas_ss_size;
oss.ss_flags = sas_ss_flags(sp);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists