[linux] 01/01: fix infoleak in waitid(2) (CVE-2017-14954)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Oct 1 11:26:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch master
in repository linux.
commit 2678c31e681a617d9467836baf832be3ba58c264
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Sun Oct 1 12:01:26 2017 +0200
fix infoleak in waitid(2) (CVE-2017-14954)
---
debian/changelog | 3 +
.../bugfix/all/fix-infoleak-in-waitid-2.patch | 66 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 70 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9c8b9a6..86352c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,9 @@ linux (4.13.4-1~exp1) UNRELEASED; urgency=medium
[ John Paul Adrian Glaubitz ]
* [m68k] Enable CONFIG_PATA_FALCON as module.
+ [ Salvatore Bonaccorso ]
+ * fix infoleak in waitid(2) (CVE-2017-14954)
+
-- Ben Hutchings <ben at decadent.org.uk> Thu, 21 Sep 2017 23:49:55 +0100
linux (4.13.2-1~exp1) experimental; urgency=medium
diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
new file mode 100644
index 0000000..b713b3f
--- /dev/null
+++ b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
@@ -0,0 +1,66 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 29 Sep 2017 13:43:15 -0400
+Subject: fix infoleak in waitid(2)
+Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
+
+kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
+case and waitid(2) rusage should've been copied out exactly in that case, *not*
+whenever kernel_waitid() has not returned an error. Compat variant shares that
+braino; none of kernel_wait4() callers do, so the below ought to fix it.
+
+Reported-and-tested-by: Alexander Potapenko <glider at google.com>
+Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
+Cc: stable at vger.kernel.org # v4.13
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ kernel/exit.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 3481ababd06a..f2cd53e92147 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
+ struct waitid_info info = {.status = 0};
+ long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
+ int signo = 0;
++
+ if (err > 0) {
+ signo = SIGCHLD;
+ err = 0;
+- }
+-
+- if (!err) {
+ if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
+ return -EFAULT;
+ }
+@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
+ if (err > 0) {
+ signo = SIGCHLD;
+ err = 0;
+- }
+-
+- if (!err && uru) {
+- /* kernel_waitid() overwrites everything in ru */
+- if (COMPAT_USE_64BIT_TIME)
+- err = copy_to_user(uru, &ru, sizeof(ru));
+- else
+- err = put_compat_rusage(&ru, uru);
+- if (err)
+- return -EFAULT;
++ if (uru) {
++ /* kernel_waitid() overwrites everything in ru */
++ if (COMPAT_USE_64BIT_TIME)
++ err = copy_to_user(uru, &ru, sizeof(ru));
++ else
++ err = put_compat_rusage(&ru, uru);
++ if (err)
++ return -EFAULT;
++ }
+ }
+
+ if (!infop)
+--
+2.14.2
+
diff --git a/debian/patches/series b/debian/patches/series
index a9c88ff..647e20e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -117,6 +117,7 @@ bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
+bugfix/all/fix-infoleak-in-waitid-2.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list