Message ID | 1371727889-8720-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, Jun 20, 2013 at 12:31:29PM +0100, Luis Henriques wrote: > From: Emese Revfy <re.emese@gmail.com> > > BugLink: https://bugs.launchpad.net/bugs/1187732 > > CVE-2013-2141 > > This fixes a kernel memory contents leak via the tkill and tgkill syscalls > for compat processes. > > This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field > when handling signals delivered from tkill. > > The place of the infoleak: > > int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) > { > ... > put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); > ... > } > > Signed-off-by: Emese Revfy <re.emese@gmail.com> > Reviewed-by: PaX Team <pageexec@freemail.hu> > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: Al Viro <viro@zeniv.linux.org.uk> > Cc: Oleg Nesterov <oleg@redhat.com> > Cc: "Eric W. Biederman" <ebiederm@xmission.com> > Cc: Serge Hallyn <serge.hallyn@canonical.com> > Cc: <stable@vger.kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > kernel/signal.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/signal.c b/kernel/signal.c > index 1c6675b..fb7e242 100644 > --- a/kernel/signal.c > +++ b/kernel/signal.c > @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) > > static int do_tkill(pid_t tgid, pid_t pid, int sig) > { > - struct siginfo info; > + struct siginfo info = {}; > > info.si_signo = sig; > info.si_errno = 0; > -- > 1.8.1.2 > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Matches upstream and looks to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> That this is only for lucid, does that imply we are getting the rest via stable? -apw
Andy Whitcroft <apw@canonical.com> writes: > On Thu, Jun 20, 2013 at 12:31:29PM +0100, Luis Henriques wrote: >> From: Emese Revfy <re.emese@gmail.com> >> >> BugLink: https://bugs.launchpad.net/bugs/1187732 >> >> CVE-2013-2141 >> >> This fixes a kernel memory contents leak via the tkill and tgkill syscalls >> for compat processes. >> >> This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field >> when handling signals delivered from tkill. >> >> The place of the infoleak: >> >> int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) >> { >> ... >> put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); >> ... >> } >> >> Signed-off-by: Emese Revfy <re.emese@gmail.com> >> Reviewed-by: PaX Team <pageexec@freemail.hu> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> Cc: Al Viro <viro@zeniv.linux.org.uk> >> Cc: Oleg Nesterov <oleg@redhat.com> >> Cc: "Eric W. Biederman" <ebiederm@xmission.com> >> Cc: Serge Hallyn <serge.hallyn@canonical.com> >> Cc: <stable@vger.kernel.org> >> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> >> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> >> (cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f) >> >> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> >> --- >> kernel/signal.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/kernel/signal.c b/kernel/signal.c >> index 1c6675b..fb7e242 100644 >> --- a/kernel/signal.c >> +++ b/kernel/signal.c >> @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) >> >> static int do_tkill(pid_t tgid, pid_t pid, int sig) >> { >> - struct siginfo info; >> + struct siginfo info = {}; >> >> info.si_signo = sig; >> info.si_errno = 0; >> -- >> 1.8.1.2 >> >> -- >> kernel-team mailing list >> kernel-team@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/kernel-team > > Matches upstream and looks to do what is claimed. > > Acked-by: Andy Whitcroft <apw@canonical.com> > > That this is only for lucid, does that imply we are getting the rest via > stable? Yes, the fixes for both CVEs are already queued (or released) in the stable trees. Since these patches are already too late for this SRU cycle, I guess we can just wait for the stable updates to bring the fixes into the other series. Cheers,
On Thu, Jun 20, 2013 at 01:52:12PM +0100, Luis Henriques wrote: > Andy Whitcroft <apw@canonical.com> writes: > > > On Thu, Jun 20, 2013 at 12:31:29PM +0100, Luis Henriques wrote: > >> From: Emese Revfy <re.emese@gmail.com> > >> > >> BugLink: https://bugs.launchpad.net/bugs/1187732 > >> > >> CVE-2013-2141 > >> > >> This fixes a kernel memory contents leak via the tkill and tgkill syscalls > >> for compat processes. > >> > >> This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field > >> when handling signals delivered from tkill. > >> > >> The place of the infoleak: > >> > >> int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) > >> { > >> ... > >> put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); > >> ... > >> } > >> > >> Signed-off-by: Emese Revfy <re.emese@gmail.com> > >> Reviewed-by: PaX Team <pageexec@freemail.hu> > >> Signed-off-by: Kees Cook <keescook@chromium.org> > >> Cc: Al Viro <viro@zeniv.linux.org.uk> > >> Cc: Oleg Nesterov <oleg@redhat.com> > >> Cc: "Eric W. Biederman" <ebiederm@xmission.com> > >> Cc: Serge Hallyn <serge.hallyn@canonical.com> > >> Cc: <stable@vger.kernel.org> > >> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > >> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > >> (cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f) > >> > >> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > >> --- > >> kernel/signal.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/kernel/signal.c b/kernel/signal.c > >> index 1c6675b..fb7e242 100644 > >> --- a/kernel/signal.c > >> +++ b/kernel/signal.c > >> @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) > >> > >> static int do_tkill(pid_t tgid, pid_t pid, int sig) > >> { > >> - struct siginfo info; > >> + struct siginfo info = {}; > >> > >> info.si_signo = sig; > >> info.si_errno = 0; > >> -- > >> 1.8.1.2 > >> > >> -- > >> kernel-team mailing list > >> kernel-team@lists.ubuntu.com > >> https://lists.ubuntu.com/mailman/listinfo/kernel-team > > > > Matches upstream and looks to do what is claimed. > > > > Acked-by: Andy Whitcroft <apw@canonical.com> > > > > That this is only for lucid, does that imply we are getting the rest via > > stable? > > Yes, the fixes for both CVEs are already queued (or released) in the > stable trees. Since these patches are already too late for this SRU > cycle, I guess we can just wait for the stable updates to bring the > fixes into the other series. I am sure that works. -apw
diff --git a/kernel/signal.c b/kernel/signal.c index 1c6675b..fb7e242 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info) static int do_tkill(pid_t tgid, pid_t pid, int sig) { - struct siginfo info; + struct siginfo info = {}; info.si_signo = sig; info.si_errno = 0;