Patchwork [Lucid,CVE-2013-2141] kernel/signal.c: stop info leak via the tkill and the tgkill syscalls

login
register
mail settings
Submitter Luis Henriques
Date June 20, 2013, 11:31 a.m.
Message ID <1371727889-8720-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/252882/
State New
Headers show

Comments

Luis Henriques - June 20, 2013, 11:31 a.m.
From: Emese Revfy <re.emese@gmail.com>

BugLink: https://bugs.launchpad.net/bugs/1187732

CVE-2013-2141

This fixes a kernel memory contents leak via the tkill and tgkill syscalls
for compat processes.

This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
when handling signals delivered from tkill.

The place of the infoleak:

int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
{
        ...
        put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
        ...
}

Signed-off-by: Emese Revfy <re.emese@gmail.com>
Reviewed-by: PaX Team <pageexec@freemail.hu>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 kernel/signal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Tim Gardner - June 20, 2013, 12:27 p.m.

Andy Whitcroft - June 20, 2013, 12:35 p.m.
On Thu, Jun 20, 2013 at 12:31:29PM +0100, Luis Henriques wrote:
> From: Emese Revfy <re.emese@gmail.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1187732
> 
> CVE-2013-2141
> 
> This fixes a kernel memory contents leak via the tkill and tgkill syscalls
> for compat processes.
> 
> This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
> when handling signals delivered from tkill.
> 
> The place of the infoleak:
> 
> int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
> {
>         ...
>         put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
>         ...
> }
> 
> Signed-off-by: Emese Revfy <re.emese@gmail.com>
> Reviewed-by: PaX Team <pageexec@freemail.hu>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Serge Hallyn <serge.hallyn@canonical.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  kernel/signal.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 1c6675b..fb7e242 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
>  
>  static int do_tkill(pid_t tgid, pid_t pid, int sig)
>  {
> -	struct siginfo info;
> +	struct siginfo info = {};
>  
>  	info.si_signo = sig;
>  	info.si_errno = 0;
> -- 
> 1.8.1.2
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Matches upstream and looks to do what is claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

That this is only for lucid, does that imply we are getting the rest via
stable?

-apw
Luis Henriques - June 20, 2013, 12:52 p.m.
Andy Whitcroft <apw@canonical.com> writes:

> On Thu, Jun 20, 2013 at 12:31:29PM +0100, Luis Henriques wrote:
>> From: Emese Revfy <re.emese@gmail.com>
>> 
>> BugLink: https://bugs.launchpad.net/bugs/1187732
>> 
>> CVE-2013-2141
>> 
>> This fixes a kernel memory contents leak via the tkill and tgkill syscalls
>> for compat processes.
>> 
>> This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
>> when handling signals delivered from tkill.
>> 
>> The place of the infoleak:
>> 
>> int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
>> {
>>         ...
>>         put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
>>         ...
>> }
>> 
>> Signed-off-by: Emese Revfy <re.emese@gmail.com>
>> Reviewed-by: PaX Team <pageexec@freemail.hu>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> Cc: Al Viro <viro@zeniv.linux.org.uk>
>> Cc: Oleg Nesterov <oleg@redhat.com>
>> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
>> Cc: Serge Hallyn <serge.hallyn@canonical.com>
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>> (cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f)
>> 
>> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
>> ---
>>  kernel/signal.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/kernel/signal.c b/kernel/signal.c
>> index 1c6675b..fb7e242 100644
>> --- a/kernel/signal.c
>> +++ b/kernel/signal.c
>> @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
>>  
>>  static int do_tkill(pid_t tgid, pid_t pid, int sig)
>>  {
>> -	struct siginfo info;
>> +	struct siginfo info = {};
>>  
>>  	info.si_signo = sig;
>>  	info.si_errno = 0;
>> -- 
>> 1.8.1.2
>> 
>> -- 
>> kernel-team mailing list
>> kernel-team@lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
> Matches upstream and looks to do what is claimed.
>
> Acked-by: Andy Whitcroft <apw@canonical.com>
>
> That this is only for lucid, does that imply we are getting the rest via
> stable?

Yes, the fixes for both CVEs are already queued (or released) in the
stable trees.  Since these patches are already too late for this SRU
cycle, I guess we can just wait for the stable updates to bring the
fixes into the other series.

Cheers,
Andy Whitcroft - June 20, 2013, 7:07 p.m.
On Thu, Jun 20, 2013 at 01:52:12PM +0100, Luis Henriques wrote:
> Andy Whitcroft <apw@canonical.com> writes:
> 
> > On Thu, Jun 20, 2013 at 12:31:29PM +0100, Luis Henriques wrote:
> >> From: Emese Revfy <re.emese@gmail.com>
> >> 
> >> BugLink: https://bugs.launchpad.net/bugs/1187732
> >> 
> >> CVE-2013-2141
> >> 
> >> This fixes a kernel memory contents leak via the tkill and tgkill syscalls
> >> for compat processes.
> >> 
> >> This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
> >> when handling signals delivered from tkill.
> >> 
> >> The place of the infoleak:
> >> 
> >> int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
> >> {
> >>         ...
> >>         put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
> >>         ...
> >> }
> >> 
> >> Signed-off-by: Emese Revfy <re.emese@gmail.com>
> >> Reviewed-by: PaX Team <pageexec@freemail.hu>
> >> Signed-off-by: Kees Cook <keescook@chromium.org>
> >> Cc: Al Viro <viro@zeniv.linux.org.uk>
> >> Cc: Oleg Nesterov <oleg@redhat.com>
> >> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> >> Cc: Serge Hallyn <serge.hallyn@canonical.com>
> >> Cc: <stable@vger.kernel.org>
> >> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> >> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> >> (cherry picked from commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f)
> >> 
> >> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> >> ---
> >>  kernel/signal.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> >> 
> >> diff --git a/kernel/signal.c b/kernel/signal.c
> >> index 1c6675b..fb7e242 100644
> >> --- a/kernel/signal.c
> >> +++ b/kernel/signal.c
> >> @@ -2301,7 +2301,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
> >>  
> >>  static int do_tkill(pid_t tgid, pid_t pid, int sig)
> >>  {
> >> -	struct siginfo info;
> >> +	struct siginfo info = {};
> >>  
> >>  	info.si_signo = sig;
> >>  	info.si_errno = 0;
> >> -- 
> >> 1.8.1.2
> >> 
> >> -- 
> >> kernel-team mailing list
> >> kernel-team@lists.ubuntu.com
> >> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> >
> > Matches upstream and looks to do what is claimed.
> >
> > Acked-by: Andy Whitcroft <apw@canonical.com>
> >
> > That this is only for lucid, does that imply we are getting the rest via
> > stable?
> 
> Yes, the fixes for both CVEs are already queued (or released) in the
> stable trees.  Since these patches are already too late for this SRU
> cycle, I guess we can just wait for the stable updates to bring the
> fixes into the other series.

I am sure that works.

-apw

Patch

diff --git a/kernel/signal.c b/kernel/signal.c
index 1c6675b..fb7e242 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2301,7 +2301,7 @@  do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
 
 static int do_tkill(pid_t tgid, pid_t pid, int sig)
 {
-	struct siginfo info;
+	struct siginfo info = {};
 
 	info.si_signo = sig;
 	info.si_errno = 0;