Patchwork [3.5.y.z,extended,stable] Patch "kernel/signal.c: stop info leak via the tkill and the tgkill" has been added to staging queue

mail settings
Submitter Luis Henriques
Date April 22, 2013, 12:38 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/238879/
State New
Headers show


Luis Henriques - April 22, 2013, 12:38 p.m.
This is a note to let you know that I have just added a patch titled

    kernel/signal.c: stop info leak via the tkill and the tgkill

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From b293afc4a71c582be2bca9b1ca35211e2f5fd273 Mon Sep 17 00:00:00 2001
From: Emese Revfy <>
Date: Wed, 17 Apr 2013 15:58:36 -0700
Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill

commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.

This fixes a kernel memory contents leak via the tkill and tgkill syscalls
for compat processes.

This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
when handling signals delivered from tkill.

The place of the infoleak:

int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
        put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);

Signed-off-by: Emese Revfy <>
Reviewed-by: PaX Team <>
Signed-off-by: Kees Cook <>
Cc: Al Viro <>
Cc: Oleg Nesterov <>
Cc: "Eric W. Biederman" <>
Cc: Serge Hallyn <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Luis Henriques <>
 kernel/signal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/kernel/signal.c b/kernel/signal.c
index 0e9b729..c0356f9 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2885,7 +2885,7 @@  do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)

 static int do_tkill(pid_t tgid, pid_t pid, int sig)
-	struct siginfo info;
+	struct siginfo info = {};

 	info.si_signo = sig;
 	info.si_errno = 0;