| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 May 2016 10:31:22 +0000
From: Catalin Marinas <catalin.marinas@....com>
To: Kangjie Lu <kangjielu@...il.com>
Cc: will.deacon@....com, james.morse@....com,
linux-kernel@...r.kernel.org, Kangjie Lu <kjlu@...ech.edu>
Subject: Re: [PATCH] fix infoleak in mm
On Tue, May 03, 2016 at 04:36:08PM -0400, Kangjie Lu wrote:
> The stack object “si” has a total size of 128; however, only 20
> bytes are initialized. The remaining uninitialized bytes are sent
> to userland via send_signal
>
> Signed-off-by: Kangjie Lu <kjlu@...ech.edu>
> ---
> arch/arm64/mm/fault.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 95df28b..f790eda 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -117,6 +117,7 @@ static void __do_user_fault(struct task_struct *tsk, unsigned long addr,
> {
> struct siginfo si;
>
> + memset(&si, 0, sizeof(si));
> if (unhandled_signal(tsk, sig) && show_unhandled_signals_ratelimited()) {
> pr_info("%s[%d]: unhandled %s (%d) at 0x%08lx, esr 0x%03x\n",
> tsk->comm, task_pid_nr(tsk), fault_name(esr), sig,
I'm not convinced this is necessary. Have you actually seen such
information leak getting to user space? The actual writing of siginfo to
the user stack happens in copy_siginfo_to_user() (called from
setup_rt_frame) which should (at least in theory) only copy
pre-populated fields.
--
Catalin
Powered by blists - more mailing lists