From: tip-bot for Mathias Krause <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: hpa@zytor.com, tglx@linutronix.de, mingo@kernel.org,
oleg@redhat.com, minipli@googlemail.com, pageexec@freemail.hu,
spender@grsecurity.net, linux-kernel@vger.kernel.org
Subject: [tip:timers/urgent] posix-timers: Fix stack info leak in timer_create()
Date: Sat, 25 Oct 2014 01:45:50 -0700 [thread overview]
Message-ID: <tip-6891c4509c792209c44ced55a60f13954cb50ef4@git.kernel.org> (raw)
In-Reply-To: <1412456799-32339-1-git-send-email-minipli@googlemail.com>
Commit-ID: 6891c4509c792209c44ced55a60f13954cb50ef4
Gitweb: http://git.kernel.org/tip/6891c4509c792209c44ced55a60f13954cb50ef4
Author: Mathias Krause <minipli@googlemail.com>
AuthorDate: Sat, 4 Oct 2014 23:06:39 +0200
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sat, 25 Oct 2014 10:43:15 +0200
posix-timers: Fix stack info leak in timer_create()
If userland creates a timer without specifying a sigevent info, we'll
create one ourself, using a stack local variable. Particularly will we
use the timer ID as sival_int. But as sigev_value is a union containing
a pointer and an int, that assignment will only partially initialize
sigev_value on systems where the size of a pointer is bigger than the
size of an int. On such systems we'll copy the uninitialized stack bytes
from the timer_create() call to userland when the timer actually fires
and we're going to deliver the signal.
Initialize sigev_value with 0 to plug the stack info leak.
Found in the PaX patch, written by the PaX Team.
Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Cc: <stable@vger.kernel.org> # v2.6.28+
Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
kernel/time/posix-timers.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index 42b463a..31ea01f 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -636,6 +636,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
goto out;
}
} else {
+ memset(&event.sigev_value, 0, sizeof(event.sigev_value));
event.sigev_notify = SIGEV_SIGNAL;
event.sigev_signo = SIGALRM;
event.sigev_value.sival_int = new_timer->it_id;
prev parent reply other threads:[~2014-10-25 18:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-04 21:06 [PATCH] posix-timers: fix stack info leak in timer_create() Mathias Krause
2014-10-05 21:06 ` Oleg Nesterov
2014-10-05 21:24 ` Thomas Gleixner
2014-10-05 21:54 ` Mathias Krause
2014-10-05 22:28 ` Oleg Nesterov
2014-10-25 8:45 ` tip-bot for Mathias Krause [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-6891c4509c792209c44ced55a60f13954cb50ef4@git.kernel.org \
--to=tipbot@zytor.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=minipli@googlemail.com \
--cc=oleg@redhat.com \
--cc=pageexec@freemail.hu \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.