| commit | 5572adc7b7f7694b2ea4abcc87eb81a6bb64656e | |
| author | Dan Rosenberg <drosenberg@vsecurity.com> | |
| Thu, 30 Sep 2010 22:15:31 +0000 (30 15:15 -0700) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Mon, 21 Mar 2011 19:43:49 +0000 (21 12:43 -0700) | ||
| tree | b286a7fb94161c27a9388c458159d3bff64ab90f | treesnapshot (tar.gz zip) |
| parent | cebb2f20e037878d8c4f7402f3e8b73e855b72d5 | commitdiff |
sys_semctl: fix kernel stack leakage
commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream.
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.
The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.
The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream.
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.
The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.
The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| ipc/sem.c | diffblobblamehistory |