[PATCH] information leak in sigaltstack

From: Ulrich Drepper
Date: Fri Jul 31 2009 - 15:48:21 EST

Next message: Ingo Molnar: "Re: [GIT PULL] Additional x86 fixes for 2.6.31-rc5"
Previous message: Linus Torvalds: "Re: [GIT PULL] Additional x86 fixes for 2.6.31-rc5"
Next in thread: Linus Torvalds: "Re: [PATCH] information leak in sigaltstack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Unfortunately the stack_t data structure was defined before people
cared much about 64-bit architectures. It has a hole in the middle.
And this hole is creating an information leak in the sigaltstack
syscall.

When the second parameter to sigaltstack is non-NULL the current stack
information is passed to the caller by filling in the members of the
stack_t structure and then the whole structure is copied using
copy_to_user. This unfortunately leaves the whole after flags
uninitialized.

The following patch should fix the issue.

Signed-off-by: Ulrich Drepper <drepper@xxxxxxxxxx>

diff --git a/kernel/signal.c b/kernel/signal.c
index ccf1cee..612d6b7 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2455,6 +2455,9 @@ do_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, unsigned long s
int error;

if (uoss) {
+ if (offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags) !=
+ offsetof(stack_t, ss_size))
+ memset(&oss, '\0', sizeof(oss));
oss.ss_sp = (void __user *) current->sas_ss_sp;
oss.ss_size = current->sas_ss_size;
oss.ss_flags = sas_ss_flags(sp);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [GIT PULL] Additional x86 fixes for 2.6.31-rc5"
Previous message: Linus Torvalds: "Re: [GIT PULL] Additional x86 fixes for 2.6.31-rc5"
Next in thread: Linus Torvalds: "Re: [PATCH] information leak in sigaltstack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]