fix infoleak in waitid(2) (CVE-2017-14954)

2017-10-01 12:01:26 +02:00 · 2017-10-01 12:01:26 +02:00 · 2678c31e68
parent 611a8e6726
commit 2678c31e68
3 changed files with 70 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -22,6 +22,9 @@ linux (4.13.4-1~exp1) UNRELEASED; urgency=medium
  [ John Paul Adrian Glaubitz ]
  * [m68k] Enable CONFIG_PATA_FALCON as module.

+  [ Salvatore Bonaccorso ]
+  * fix infoleak in waitid(2) (CVE-2017-14954)
+
 -- Ben Hutchings <ben@decadent.org.uk>  Thu, 21 Sep 2017 23:49:55 +0100

 linux (4.13.2-1~exp1) experimental; urgency=medium
--- a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
+++ b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
@ -0,0 +1,66 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 29 Sep 2017 13:43:15 -0400
+Subject: fix infoleak in waitid(2)
+Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
+
+kernel_waitid() can return a PID, an error or 0.  rusage is filled in the first
+case and waitid(2) rusage should've been copied out exactly in that case, *not*
+whenever kernel_waitid() has not returned an error.  Compat variant shares that
+braino; none of kernel_wait4() callers do, so the below ought to fix it.
+
+Reported-and-tested-by: Alexander Potapenko <glider@google.com>
+Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
+Cc: stable@vger.kernel.org # v4.13
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ kernel/exit.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 3481ababd06a..f2cd53e92147 100644
+--- a/kernel/exit.c
+++ b/kernel/exit.c
+@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
+ 	struct waitid_info info = {.status = 0};
+ 	long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
+ 	int signo = 0;
+
+ 	if (err > 0) {
+ 		signo = SIGCHLD;
+ 		err = 0;
+-	}
+-
+-	if (!err) {
+ 		if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
+ 			return -EFAULT;
+ 	}
+@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
+ 	if (err > 0) {
+ 		signo = SIGCHLD;
+ 		err = 0;
+-	}
+-
+-	if (!err && uru) {
+-		/* kernel_waitid() overwrites everything in ru */
+-		if (COMPAT_USE_64BIT_TIME)
+-			err = copy_to_user(uru, &ru, sizeof(ru));
+-		else
+-			err = put_compat_rusage(&ru, uru);
+-		if (err)
+-			return -EFAULT;
+		if (uru) {
+			/* kernel_waitid() overwrites everything in ru */
+			if (COMPAT_USE_64BIT_TIME)
+				err = copy_to_user(uru, &ru, sizeof(ru));
+			else
+				err = put_compat_rusage(&ru, uru);
+			if (err)
+				return -EFAULT;
+		}
+ 	}
+ 
+ 	if (!infop)
+-- 
+2.14.2
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -117,6 +117,7 @@ bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
 bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
 bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
 bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
+bugfix/all/fix-infoleak-in-waitid-2.patch

 # Fix exported symbol versions
 bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch