[linux] 01/01: waitid(): Add missing access_ok() checks (CVE-2017-5123)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Oct 12 19:18:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 35125947a2f42d7ad955184e2811143311096a30
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Oct 12 21:16:06 2017 +0200
waitid(): Add missing access_ok() checks (CVE-2017-5123)
---
debian/changelog | 1 +
.../all/waitid-Add-missing-access_ok-checks.patch | 47 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 49 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index b2b261c..807c84b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ linux (4.13.4-2) UNRELEASED; urgency=medium
* mac80211: fix deadlock in driver-managed RX BA session start.
Thanks to Eric Côté (Closes: #878092)
* KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192)
+ * waitid(): Add missing access_ok() checks (CVE-2017-5123)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
diff --git a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch b/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
new file mode 100644
index 0000000..4872b37
--- /dev/null
+++ b/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch
@@ -0,0 +1,47 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Mon, 9 Oct 2017 11:36:52 -0700
+Subject: waitid(): Add missing access_ok() checks
+Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
+
+Adds missing access_ok() checks.
+
+CVE-2017-5123
+
+Reported-by: Chris Salls <chrissalls5 at gmail.com>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Acked-by: Al Viro <viro at zeniv.linux.org.uk>
+Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
+Cc: stable at kernel.org # 4.13
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ kernel/exit.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index f2cd53e92147..cf28528842bc 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
+ if (!infop)
+ return err;
+
++ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
++ goto Efault;
++
+ user_access_begin();
+ unsafe_put_user(signo, &infop->si_signo, Efault);
+ unsafe_put_user(0, &infop->si_errno, Efault);
+@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
+ if (!infop)
+ return err;
+
++ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
++ goto Efault;
++
+ user_access_begin();
+ unsafe_put_user(signo, &infop->si_signo, Efault);
+ unsafe_put_user(0, &infop->si_errno, Efault);
+--
+2.15.0.rc0
+
diff --git a/debian/patches/series b/debian/patches/series
index 82a5b45..9662966 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -124,6 +124,7 @@ bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
+bugfix/all/waitid-Add-missing-access_ok-checks.patch
# Fix exported symbol versions
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list