From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from youngberry.canonical.com ([91.189.89.112]:43998 "EHLO
	youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932777AbbICPnn (ORCPT
	<rfc822;stable@vger.kernel.org>); Thu, 3 Sep 2015 11:43:43 -0400
Date: Thu, 3 Sep 2015 16:43:40 +0100
From: Luis Henriques <luis.henriques@canonical.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	Amanieu dAntras <amanieu@gmail.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Ingo Molnar <mingo@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Kamal Mostafa <kamal@canonical.com>
Subject: Re: [PATCH 3.14 30/44] signalfd: fix information leak in
 signalfd_copyinfo
Message-ID: <20150903154340.GD2601@ares>
References: <20150814174401.628233291@linuxfoundation.org>
 <20150814174402.548083891@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20150814174402.548083891@linuxfoundation.org>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Fri, Aug 14, 2015 at 10:45:07AM -0700, Greg Kroah-Hartman wrote:
> 3.14-stable review patch.  If anyone has any objections, please let me know.
>

These 3 patches seem to be relevant to other stable trees as well.  I'm
queuing them for the 3.16 kernel.

Cheers,
--
Lu�s


> ------------------
> 
> From: Amanieu d'Antras <amanieu@gmail.com>
> 
> commit 3ead7c52bdb0ab44f4bb1feed505a8323cc12ba7 upstream.
> 
> This function may copy the si_addr_lsb field to user mode when it hasn't
> been initialized, which can leak kernel stack data to user mode.
> 
> Just checking the value of si_code is insufficient because the same
> si_code value is shared between multiple signals.  This is solved by
> checking the value of si_signo in addition to si_code.
> 
> Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: Ingo Molnar <mingo@kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  fs/signalfd.c |    5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> --- a/fs/signalfd.c
> +++ b/fs/signalfd.c
> @@ -121,8 +121,9 @@ static int signalfd_copyinfo(struct sign
>  		 * Other callers might not initialize the si_lsb field,
>  		 * so check explicitly for the right codes here.
>  		 */
> -		if (kinfo->si_code == BUS_MCEERR_AR ||
> -		    kinfo->si_code == BUS_MCEERR_AO)
> +		if (kinfo->si_signo == SIGBUS &&
> +		    (kinfo->si_code == BUS_MCEERR_AR ||
> +		     kinfo->si_code == BUS_MCEERR_AO))
>  			err |= __put_user((short) kinfo->si_addr_lsb,
>  					  &uinfo->ssi_addr_lsb);
>  #endif
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html