Commit b9e146d8 authored by Emese Revfy's avatar Emese Revfy Committed by Linus Torvalds
Browse files

kernel/signal.c: stop info leak via the tkill and the tgkill syscalls 



This fixes a kernel memory contents leak via the tkill and tgkill syscalls
for compat processes.

This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
when handling signals delivered from tkill.

The place of the infoleak:

int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
{
        ...
        put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
        ...
}

Signed-off-by: default avatarEmese Revfy <re.emese@gmail.com>
Reviewed-by: default avatarPaX Team <pageexec@freemail.hu>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent d72515b8

kernel/signal.c

+1 −1
Original line number Diff line number Diff line
@@ -2948,7 +2948,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) 


static int do_tkill(pid_t tgid, pid_t pid, int sig)

{

	struct siginfo info;

	struct siginfo info = {};



	info.si_signo = sig;

	info.si_errno = 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE