[3.5.y.z,extended,stable] Patch "kernel/signal.c: stop info leak via the tkill and the tgkill" has been added to staging queue

Message ID 1366634314-16910-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques April 22, 2013, 12:38 p.m.
This is a note to let you know that I have just added a patch titled

    kernel/signal.c: stop info leak via the tkill and the tgkill

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From b293afc4a71c582be2bca9b1ca35211e2f5fd273 Mon Sep 17 00:00:00 2001
From: Emese Revfy <re.emese@gmail.com>
Date: Wed, 17 Apr 2013 15:58:36 -0700
Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill

commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.

This fixes a kernel memory contents leak via the tkill and tgkill syscalls
for compat processes.

This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
when handling signals delivered from tkill.

The place of the infoleak:

int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
        put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);

Signed-off-by: Emese Revfy <re.emese@gmail.com>
Reviewed-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
 kernel/signal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/kernel/signal.c b/kernel/signal.c
index 0e9b729..c0356f9 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2885,7 +2885,7 @@  do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)

 static int do_tkill(pid_t tgid, pid_t pid, int sig)
-	struct siginfo info;
+	struct siginfo info = {};

 	info.si_signo = sig;
 	info.si_errno = 0;