[PATCH 4.13 087/110] fix infoleak in waitid(2)

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 4.13 087/110] fix infoleak in waitid(2)
Date: Tue,  3 Oct 2017 14:29:49 +0200	[thread overview]
Message-ID: <20171003114244.800849144@linuxfoundation.org> (raw)
In-Reply-To: <20171003114241.408583531@linuxfoundation.org>

4.13-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Al Viro <viro@zeniv.linux.org.uk>

commit 6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 upstream.

kernel_waitid() can return a PID, an error or 0.  rusage is filled in the first
case and waitid(2) rusage should've been copied out exactly in that case, *not*
whenever kernel_waitid() has not returned an error.  Compat variant shares that
braino; none of kernel_wait4() callers do, so the below ought to fix it.

Reported-and-tested-by: Alexander Potapenko <glider@google.com>
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/exit.c |   23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1601,12 +1601,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_
 	struct waitid_info info = {.status = 0};
 	long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
 	int signo = 0;
+
 	if (err > 0) {
 		signo = SIGCHLD;
 		err = 0;
-	}
-
-	if (!err) {
 		if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
 			return -EFAULT;
 	}
@@ -1724,16 +1722,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
 	if (err > 0) {
 		signo = SIGCHLD;
 		err = 0;
-	}
-
-	if (!err && uru) {
-		/* kernel_waitid() overwrites everything in ru */
-		if (COMPAT_USE_64BIT_TIME)
-			err = copy_to_user(uru, &ru, sizeof(ru));
-		else
-			err = put_compat_rusage(&ru, uru);
-		if (err)
-			return -EFAULT;
+		if (uru) {
+			/* kernel_waitid() overwrites everything in ru */
+			if (COMPAT_USE_64BIT_TIME)
+				err = copy_to_user(uru, &ru, sizeof(ru));
+			else
+				err = put_compat_rusage(&ru, uru);
+			if (err)
+				return -EFAULT;
+		}
 	}
 
 	if (!infop)

next prev parent reply	other threads:[~2017-10-03 12:33 UTC|newest]

Thread overview: 109+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-03 12:28 [PATCH 4.13 000/110] 4.13.5-stable review Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 001/110] cifs: check rsp for NULL before dereferencing in SMB2_open Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 002/110] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 003/110] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 004/110] nvme-pci: fix host memory buffer allocation fallback Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 005/110] nvme-pci: use appropriate initial chunk size for HMB allocation Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 006/110] nvme-pci: propagate (some) errors from host memory buffer setup Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 007/110] dax: remove the pmem_dax_ops->flush abstraction Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 008/110] dm integrity: do not check integrity for failed read operations Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 009/110] mmc: block: Fix incorrectly initialized requests Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 010/110] fs/proc: Report eip/esp in /prod/PID/stat for coredumping Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 011/110] scsi: scsi_transport_fc: fix NULL pointer dereference in fc_bsg_job_timeout Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 012/110] SMB3: Add support for multidialect negotiate (SMB2.1 and later) Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 013/110] mac80211: fix VLAN handling with TXQs Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 014/110] mac80211_hwsim: Use proper TX power Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 015/110] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 016/110] mac80211: fix deadlock in driver-managed RX BA session start Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 017/110] genirq: Make sparse_irq_lock protect what it should protect Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 018/110] genirq/msi: Fix populating multiple interrupts Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 019/110] genirq: Fix cpumask check in __irq_startup_managed() Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 020/110] KVM: PPC: Book3S HV: Hold kvm->lock around call to kvmppc_update_lpcr Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 021/110] KVM: PPC: Book3S HV: Fix bug causing host SLB to be restored incorrectly Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 022/110] KVM: PPC: Book3S HV: Dont access XIVE PIPR register using byte accesses Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 023/110] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 024/110] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 025/110] tracing: Remove RCU work arounds from stack tracer Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 026/110] md/raid5: fix a race condition in stripe batch Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 027/110] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 028/110] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 029/110] scsi: aacraid: Fix 2T+ drives on SmartIOC-2000 Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 030/110] scsi: aacraid: Add a small delay after IOP reset Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 031/110] drm/exynos: Fix locking in the suspend/resume paths Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 032/110] drm/i915/gvt: Fix incorrect PCI BARs reporting Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 033/110] Revert "drm/i915/bxt: Disable device ready before shutdown command" Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 035/110] drm/radeon: disable hard reset in hibernate for APUs Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 036/110] crypto: drbg - fix freeing of resources Greg Kroah-Hartman
2017-10-03 12:28 ` [PATCH 4.13 037/110] crypto: talitos - Dont provide setkey for non hmac hashing algs Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 038/110] crypto: talitos - fix sha224 Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 039/110] crypto: talitos - fix hashing Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 040/110] security/keys: properly zero out sensitive key material in big_key Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 041/110] security/keys: rewrite all of big_key crypto Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 042/110] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 043/110] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 044/110] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 045/110] libnvdimm, namespace: fix btt claim class crash Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 046/110] powerpc/eeh: Create PHB PEs after EEH is initialized Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 047/110] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 048/110] powerpc/tm: Flush TM only if CPU has TM feature Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 049/110] MIPS: Fix perf event init Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 050/110] s390/perf: fix bug when creating per-thread event Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 051/110] s390/mm: make pmdp_invalidate() do invalidation only Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 052/110] s390/mm: fix write access check in gup_huge_pmd() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 053/110] PM: core: Fix device_pm_check_callbacks() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 054/110] Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 055/110] Fix SMB3.1.1 guest authentication to Samba Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 056/110] SMB3: Fix endian warning Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 057/110] SMB3: Warn user if trying to sign connection that authenticated as guest Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 058/110] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 059/110] SMB3: handle new statx fields Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 060/110] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 061/110] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 062/110] libceph: dont allow bidirectional swap of pg-upmap-items Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 063/110] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 064/110] brd: fix overflow in __brd_direct_access Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 065/110] gfs2: Fix debugfs glocks dump Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 066/110] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 067/110] iw_cxgb4: drop listen destroy replies if no ep found Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 068/110] iw_cxgb4: remove the stid on listen create failure Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 069/110] iw_cxgb4: put ep reference in pass_accept_req() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 070/110] rcu: Allow for page faults in NMI handlers Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 071/110] mmc: sdhci-pci: Fix voltage switch for some Intel host controllers Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 072/110] extable: Consolidate *kernel_text_address() functions Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 073/110] extable: Enable RCU if it is not watching in kernel_text_address() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 074/110] selftests/seccomp: Support glibc 2.26 siginfo_t.h Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 075/110] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 076/110] arm64: Make sure SPsel is always set Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 077/110] arm64: mm: Use READ_ONCE when dereferencing pointer to pte table Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 078/110] arm64: fault: Route pte translation faults via do_translation_fault Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 082/110] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 083/110] kvm/x86: Handle async PF in RCU read-side critical sections Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 085/110] kvm: nVMX: Dont allow L2 to access the hardware CR8 Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 086/110] xfs: validate bdev support for DAX inode flag Greg Kroah-Hartman
2017-10-03 12:29 ` Greg Kroah-Hartman [this message]
2017-10-03 12:29 ` [PATCH 4.13 088/110] sched/sysctl: Check user input value of sysctl_sched_time_avg Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 089/110] irq/generic-chip: Dont replace domains name Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 090/110] mtd: Fix partition alignment check on multi-erasesize devices Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 091/110] mtd: nand: atmel: fix buffer overflow in atmel_pmecc_user Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 092/110] etnaviv: fix submit error path Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 093/110] etnaviv: fix gem object list corruption Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 094/110] futex: Fix pi_state->owner serialization Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 095/110] md: fix a race condition for flush request handling Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 096/110] md: separate " Greg Kroah-Hartman
2017-10-03 12:29 ` [PATCH 4.13 097/110] PCI: Fix race condition with driver_override Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 098/110] btrfs: fix NULL pointer dereference from free_reloc_roots() Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 099/110] btrfs: clear ordered flag on cleaning up ordered extents Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 100/110] btrfs: finish ordered extent cleaning if no progress is found Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 101/110] btrfs: propagate error to btrfs_cmp_data_prepare caller Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 102/110] btrfs: prevent to set invalid default subvolid Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 104/110] PM / OPP: Call notifier without holding opp_table->lock Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 105/110] x86/mm: Fix fault error path using unsafe vma pointer Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 106/110] x86/fpu: Dont let userspace set bogus xcomp_bv Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 109/110] KVM: VMX: use cmpxchg64 Greg Kroah-Hartman
2017-10-03 12:30 ` [PATCH 4.13 110/110] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
2017-10-03 19:36 ` [PATCH 4.13 000/110] 4.13.5-stable review Shuah Khan
2017-10-03 20:30 ` Guenter Roeck
2017-10-04  7:53   ` Greg Kroah-Hartman
     [not found] ` <20171003114245.404118381@linuxfoundation.org>
2017-10-03 22:09   ` [PATCH 4.13 103/110] platform/x86: fujitsu-laptop: Dont oops when FUJ02E3 is not presnt Jonathan Woithe
2017-10-04  0:27     ` Darren Hart
2017-10-04  3:07       ` Jonathan Woithe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171003114244.800849144@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).