[PATCH] fix infoleak in fcntl

[PATCH] fix infoleak in fcntl

[Kangjie Lu]

The stack object “si” has a total size of 128 bytes; however, only
16 bytes are initialized. The remaining uninitialized bytes are
sent to userland via send_signal.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
---
 fs/fcntl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/fcntl.c b/fs/fcntl.c
index 350a2c8..d06f943 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -468,6 +468,7 @@ static void send_sigio_to_task(struct task_struct *p,
 			   delivered even if we can't queue.  Failure to
 			   queue in this case _should_ be reported; we fall
 			   back to SIGIO in that case. --sct */
+			memset(&si, 0, sizeof(si));
 			si.si_signo = signum;
 			si.si_errno = 0;
 		        si.si_code  = reason;
-- 
1.9.1

Re: [PATCH] fix infoleak in fcntl

[Christoph Hellwig]

On Tue, May 03, 2016 at 04:34:09PM -0400, Kangjie Lu wrote:
> The stack object ???si??? has a total size of 128 bytes; however, only
> 16 bytes are initialized. The remaining uninitialized bytes are
> sent to userland via send_signal.
> 
> Signed-off-by: Kangjie Lu <kjlu@gatech.edu>

Looks fine,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH] fix infoleak in fcntl

[Richard Weinberger]

On Tue, May 3, 2016 at 10:34 PM, Kangjie Lu <kangjielu@gmail.com> wrote:
> The stack object “si” has a total size of 128 bytes; however, only
> 16 bytes are initialized. The remaining uninitialized bytes are
> sent to userland via send_signal.

How did you find all these leaks?
Since you sent more than one patch I guess you used some tool, which one?

-- 
Thanks,
//richard

Re: [PATCH] fix infoleak in fcntl

[Richard Weinberger]

Am 08.05.2016 um 17:40 schrieb Kangjie Lu:
> 
> 
> On Sun, May 8, 2016 at 8:58 AM, Richard Weinberger <richard.weinberger@gmail.com <mailto:richard.weinberger@gmail.com>> wrote:
> 
>     On Tue, May 3, 2016 at 10:34 PM, Kangjie Lu <kangjielu@gmail.com <mailto:kangjielu@gmail.com>> wrote:
>     > The stack object “si” has a total size of 128 bytes; however, only
>     > 16 bytes are initialized. The remaining uninitialized bytes are
>     > sent to userland via send_signal.
> 
>     How did you find all these leaks?
>     Since you sent more than one patch I guess you used some tool, which one?
> 
> 
> Yes. Since there are *so many* infoleak vulnerabilities in the kernel, we are writing a
> static checker to find them.  We plan to release it once it is done, so people can use
> it to find more bugs in kernel or even other user space programs.

How does your tool work?
I'd guess it tries to find uninitialized structs passed into copy_to_user().

Thanks,
//richard