[linux] 01/01: fix infoleak in waitid(2) (CVE-2017-14954)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Oct 1 11:26:34 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository linux.

commit 2678c31e681a617d9467836baf832be3ba58c264
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sun Oct 1 12:01:26 2017 +0200

    fix infoleak in waitid(2) (CVE-2017-14954)
---
 debian/changelog                                   |  3 +
 .../bugfix/all/fix-infoleak-in-waitid-2.patch      | 66 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 70 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9c8b9a6..86352c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,9 @@ linux (4.13.4-1~exp1) UNRELEASED; urgency=medium
   [ John Paul Adrian Glaubitz ]
   * [m68k] Enable CONFIG_PATA_FALCON as module.
 
+  [ Salvatore Bonaccorso ]
+  * fix infoleak in waitid(2) (CVE-2017-14954)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Thu, 21 Sep 2017 23:49:55 +0100
 
 linux (4.13.2-1~exp1) experimental; urgency=medium
diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
new file mode 100644
index 0000000..b713b3f
--- /dev/null
+++ b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
@@ -0,0 +1,66 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 29 Sep 2017 13:43:15 -0400
+Subject: fix infoleak in waitid(2)
+Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
+
+kernel_waitid() can return a PID, an error or 0.  rusage is filled in the first
+case and waitid(2) rusage should've been copied out exactly in that case, *not*
+whenever kernel_waitid() has not returned an error.  Compat variant shares that
+braino; none of kernel_wait4() callers do, so the below ought to fix it.
+
+Reported-and-tested-by: Alexander Potapenko <glider at google.com>
+Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
+Cc: stable at vger.kernel.org # v4.13
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ kernel/exit.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 3481ababd06a..f2cd53e92147 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
+ 	struct waitid_info info = {.status = 0};
+ 	long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
+ 	int signo = 0;
++
+ 	if (err > 0) {
+ 		signo = SIGCHLD;
+ 		err = 0;
+-	}
+-
+-	if (!err) {
+ 		if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
+ 			return -EFAULT;
+ 	}
+@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
+ 	if (err > 0) {
+ 		signo = SIGCHLD;
+ 		err = 0;
+-	}
+-
+-	if (!err && uru) {
+-		/* kernel_waitid() overwrites everything in ru */
+-		if (COMPAT_USE_64BIT_TIME)
+-			err = copy_to_user(uru, &ru, sizeof(ru));
+-		else
+-			err = put_compat_rusage(&ru, uru);
+-		if (err)
+-			return -EFAULT;
++		if (uru) {
++			/* kernel_waitid() overwrites everything in ru */
++			if (COMPAT_USE_64BIT_TIME)
++				err = copy_to_user(uru, &ru, sizeof(ru));
++			else
++				err = put_compat_rusage(&ru, uru);
++			if (err)
++				return -EFAULT;
++		}
+ 	}
+ 
+ 	if (!infop)
+-- 
+2.14.2
+
diff --git a/debian/patches/series b/debian/patches/series
index a9c88ff..647e20e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -117,6 +117,7 @@ bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
 bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
 bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
 bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
+bugfix/all/fix-infoleak-in-waitid-2.patch
 
 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list