[kernel] r20106 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

[Dann Frazier]

Author: dannf
Date: Wed May 15 04:06:00 2013
New Revision: 20106

Log:
kernel/signal.c: stop info leak via the tkill and the tgkill syscalls

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Wed May 15 03:58:27 2013	(r20105)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 04:06:00 2013	(r20106)
@@ -26,6 +26,7 @@
   * [x86] KVM: Allow cross page reads and writes from cached translations.
     (fixes regression in fix for CVE-2013-1796)
   * net: fix incorrect credentials passing (CVE-2013-1979)
+  * kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
 
  -- dann frazier <dannf at debian.org>  Tue, 14 May 2013 11:48:39 -0600
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch	Wed May 15 04:06:00 2013	(r20106)
@@ -0,0 +1,53 @@
+From ffe1341edbe2878134f3083625d5c916670d0fca Mon Sep 17 00:00:00 2001
+From: Emese Revfy <re.emese at gmail.com>
+Date: Wed, 17 Apr 2013 15:58:36 -0700
+Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill
+ syscalls
+
+commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.
+
+This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+for compat processes.
+
+This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+when handling signals delivered from tkill.
+
+The place of the infoleak:
+
+int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+{
+        ...
+        put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+        ...
+}
+
+Signed-off-by: Emese Revfy <re.emese at gmail.com>
+Reviewed-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: "Eric W. Biederman" <ebiederm at xmission.com>
+Cc: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/signal.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index ea76d30..3ecf574 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2790,7 +2790,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+ 
+ static int do_tkill(pid_t tgid, pid_t pid, int sig)
+ {
+-	struct siginfo info;
++	struct siginfo info = {};
+ 
+ 	info.si_signo = sig;
+ 	info.si_errno = 0;
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 03:58:27 2013	(r20105)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 04:06:00 2013	(r20106)
@@ -660,3 +660,4 @@
 bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
 bugfix/all/net-fix-incorrect-credentials-passing.patch
 bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
+bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch