fix infoleak in waitid(2) (CVE-2017-14954)
This commit is contained in:
parent
611a8e6726
commit
2678c31e68
|
@ -22,6 +22,9 @@ linux (4.13.4-1~exp1) UNRELEASED; urgency=medium
|
|||
[ John Paul Adrian Glaubitz ]
|
||||
* [m68k] Enable CONFIG_PATA_FALCON as module.
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* fix infoleak in waitid(2) (CVE-2017-14954)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Thu, 21 Sep 2017 23:49:55 +0100
|
||||
|
||||
linux (4.13.2-1~exp1) experimental; urgency=medium
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Fri, 29 Sep 2017 13:43:15 -0400
|
||||
Subject: fix infoleak in waitid(2)
|
||||
Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
|
||||
|
||||
kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
|
||||
case and waitid(2) rusage should've been copied out exactly in that case, *not*
|
||||
whenever kernel_waitid() has not returned an error. Compat variant shares that
|
||||
braino; none of kernel_wait4() callers do, so the below ought to fix it.
|
||||
|
||||
Reported-and-tested-by: Alexander Potapenko <glider@google.com>
|
||||
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
|
||||
Cc: stable@vger.kernel.org # v4.13
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
kernel/exit.c | 23 ++++++++++-------------
|
||||
1 file changed, 10 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index 3481ababd06a..f2cd53e92147 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
struct waitid_info info = {.status = 0};
|
||||
long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
|
||||
int signo = 0;
|
||||
+
|
||||
if (err > 0) {
|
||||
signo = SIGCHLD;
|
||||
err = 0;
|
||||
- }
|
||||
-
|
||||
- if (!err) {
|
||||
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
|
||||
return -EFAULT;
|
||||
}
|
||||
@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (err > 0) {
|
||||
signo = SIGCHLD;
|
||||
err = 0;
|
||||
- }
|
||||
-
|
||||
- if (!err && uru) {
|
||||
- /* kernel_waitid() overwrites everything in ru */
|
||||
- if (COMPAT_USE_64BIT_TIME)
|
||||
- err = copy_to_user(uru, &ru, sizeof(ru));
|
||||
- else
|
||||
- err = put_compat_rusage(&ru, uru);
|
||||
- if (err)
|
||||
- return -EFAULT;
|
||||
+ if (uru) {
|
||||
+ /* kernel_waitid() overwrites everything in ru */
|
||||
+ if (COMPAT_USE_64BIT_TIME)
|
||||
+ err = copy_to_user(uru, &ru, sizeof(ru));
|
||||
+ else
|
||||
+ err = put_compat_rusage(&ru, uru);
|
||||
+ if (err)
|
||||
+ return -EFAULT;
|
||||
+ }
|
||||
}
|
||||
|
||||
if (!infop)
|
||||
--
|
||||
2.14.2
|
||||
|
|
@ -117,6 +117,7 @@ bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
|
|||
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
|
||||
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
|
||||
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
||||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||
|
|
Loading…
Reference in New Issue