From: Greg KH <gregkh@linuxfoundation.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
Ben Hutchings <ben@decadent.org.uk>,
luis.henriques@canonical.com, LKML <linux-kernel@vger.kernel.org>
Subject: Re: + signal-always-clear-sa_restorer-on-execve.patch added to -mm tree
Date: Mon, 11 Mar 2013 14:20:34 -0700 [thread overview]
Message-ID: <20130311212034.GC32527@kroah.com> (raw)
In-Reply-To: <20130311140130.7effd02d12236dff081646d5@linux-foundation.org>
On Mon, Mar 11, 2013 at 02:01:30PM -0700, Andrew Morton wrote:
> On Mon, 11 Mar 2013 13:37:53 -0700 Kees Cook <keescook@chromium.org> wrote:
>
> > ...
> >
>
> (pop toasting undone)
>
> > > Subject: signal: always clear sa_restorer on execve
> > >
> > > When the new signal handlers are set up, the location of sa_restorer is
> > > not cleared, leaking a parent process's address space location to
> > > children. This allows for a potential bypass of the parent's ASLR by
> > > examining the sa_restorer value returned when calling sigaction().
> > >
> > > Based on what should be considered "secret" about addresses, it only
> > > matters across the exec not the fork (since the VMAs haven't changed until
> > > the exec). But since exec sets SIG_DFL and keeps sa_restorer, this is
> > > where it should be fixed.
> >
> > A note for backporters: you'll likely want to change
> > __ARCH_HAS_SA_RESTORER to SA_RESTORER, since the former was recently
> > introduced. If not, this will apply but not actually do any good.
>
> I added this to the changelog, but I fear people won't read it! Is
> there any clever way in which we can have one patch which will work OK
> in both old and new kernels? I can't think of one...
I'll store it in my stable inbox and will hope to remember it when it
hits Linus's tree...
thanks,
greg k-h
prev parent reply other threads:[~2013-03-11 21:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-11 20:22 + signal-always-clear-sa_restorer-on-execve.patch added to -mm tree akpm
2013-03-11 20:37 ` Kees Cook
2013-03-11 21:01 ` Andrew Morton
2013-03-11 21:03 ` Kees Cook
2013-03-11 21:22 ` Andrew Morton
2013-03-11 21:33 ` Kees Cook
2013-03-11 21:42 ` Andrew Morton
2013-03-11 21:20 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130311212034.GC32527@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luis.henriques@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.