[kernel] r20106 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 04:06:01 UTC 2013
Author: dannf
Date: Wed May 15 04:06:00 2013
New Revision: 20106
Log:
kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 03:58:27 2013 (r20105)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 04:06:00 2013 (r20106)
@@ -26,6 +26,7 @@
* [x86] KVM: Allow cross page reads and writes from cached translations.
(fixes regression in fix for CVE-2013-1796)
* net: fix incorrect credentials passing (CVE-2013-1979)
+ * kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
-- dann frazier <dannf at debian.org> Tue, 14 May 2013 11:48:39 -0600
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch Wed May 15 04:06:00 2013 (r20106)
@@ -0,0 +1,53 @@
+From ffe1341edbe2878134f3083625d5c916670d0fca Mon Sep 17 00:00:00 2001
+From: Emese Revfy <re.emese at gmail.com>
+Date: Wed, 17 Apr 2013 15:58:36 -0700
+Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill
+ syscalls
+
+commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.
+
+This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+for compat processes.
+
+This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+when handling signals delivered from tkill.
+
+The place of the infoleak:
+
+int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+{
+ ...
+ put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+ ...
+}
+
+Signed-off-by: Emese Revfy <re.emese at gmail.com>
+Reviewed-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: "Eric W. Biederman" <ebiederm at xmission.com>
+Cc: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index ea76d30..3ecf574 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2790,7 +2790,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+
+ static int do_tkill(pid_t tgid, pid_t pid, int sig)
+ {
+- struct siginfo info;
++ struct siginfo info = {};
+
+ info.si_signo = sig;
+ info.si_errno = 0;
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 03:58:27 2013 (r20105)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 04:06:00 2013 (r20106)
@@ -660,3 +660,4 @@
bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
bugfix/all/net-fix-incorrect-credentials-passing.patch
bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
+bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
More information about the Kernel-svn-changes
mailing list