Linux v3.9-rc2-292-ga2362d2

- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
This commit is contained in:
Josh Boyer 2013-03-15 08:13:33 -04:00
parent 930f974036
commit 73964d96a7
7 changed files with 7 additions and 502 deletions

View File

@ -1,248 +0,0 @@
From db7192fa07fa5c70c9849d8f658a7ff696cff99d Mon Sep 17 00:00:00 2001
From: Kevin Cernekee <cernekee@gmail.com>
Date: Sat, 16 Feb 2013 22:40:03 -0800
Subject: [PATCH 14/15] Input: ALPS - Remove unused argument to
alps_enter_command_mode()
Now that alps_identify() explicitly issues an EC report using
alps_rpt_cmd(), we no longer need to look at the magic numbers returned
by alps_enter_command_mode().
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
---
drivers/input/mouse/alps.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
index 7b99fc7..9c97531 100644
--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -994,8 +994,7 @@ static int alps_rpt_cmd(struct psmouse *psmouse, int init_command,
return 0;
}
-static int alps_enter_command_mode(struct psmouse *psmouse,
- unsigned char *resp)
+static int alps_enter_command_mode(struct psmouse *psmouse)
{
unsigned char param[4];
@@ -1009,9 +1008,6 @@ static int alps_enter_command_mode(struct psmouse *psmouse,
"unknown response while entering command mode\n");
return -1;
}
-
- if (resp)
- *resp = param[2];
return 0;
}
@@ -1176,7 +1172,7 @@ static int alps_passthrough_mode_v3(struct psmouse *psmouse,
{
int reg_val, ret = -1;
- if (alps_enter_command_mode(psmouse, NULL))
+ if (alps_enter_command_mode(psmouse))
return -1;
reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x0008);
@@ -1216,7 +1212,7 @@ static int alps_probe_trackstick_v3(struct psmouse *psmouse, int reg_base)
{
int ret = -EIO, reg_val;
- if (alps_enter_command_mode(psmouse, NULL))
+ if (alps_enter_command_mode(psmouse))
goto error;
reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x08);
@@ -1279,7 +1275,7 @@ static int alps_setup_trackstick_v3(struct psmouse *psmouse, int reg_base)
* supported by this driver. If bit 1 isn't set the packet
* format is different.
*/
- if (alps_enter_command_mode(psmouse, NULL) ||
+ if (alps_enter_command_mode(psmouse) ||
alps_command_mode_write_reg(psmouse,
reg_base + 0x08, 0x82) ||
alps_exit_command_mode(psmouse))
@@ -1306,7 +1302,7 @@ static int alps_hw_init_v3(struct psmouse *psmouse)
alps_setup_trackstick_v3(psmouse, ALPS_REG_BASE_PINNACLE) == -EIO)
goto error;
- if (alps_enter_command_mode(psmouse, NULL) ||
+ if (alps_enter_command_mode(psmouse) ||
alps_absolute_mode_v3(psmouse)) {
psmouse_err(psmouse, "Failed to enter absolute mode\n");
goto error;
@@ -1381,7 +1377,7 @@ static int alps_hw_init_rushmore_v3(struct psmouse *psmouse)
priv->flags &= ~ALPS_DUALPOINT;
}
- if (alps_enter_command_mode(psmouse, NULL) ||
+ if (alps_enter_command_mode(psmouse) ||
alps_command_mode_read_reg(psmouse, 0xc2d9) == -1 ||
alps_command_mode_write_reg(psmouse, 0xc2cb, 0x00))
goto error;
@@ -1431,7 +1427,7 @@ static int alps_hw_init_v4(struct psmouse *psmouse)
struct ps2dev *ps2dev = &psmouse->ps2dev;
unsigned char param[4];
- if (alps_enter_command_mode(psmouse, NULL))
+ if (alps_enter_command_mode(psmouse))
goto error;
if (alps_absolute_mode_v4(psmouse)) {
--
1.8.1.2
From 10740a25bb3b895b5de7773f926a978416b38409 Mon Sep 17 00:00:00 2001
From: Dave Turvene <dturvene@dahetral.com>
Date: Sat, 16 Feb 2013 22:40:04 -0800
Subject: [PATCH 15/15] Input: ALPS - Add "Dolphin V1" touchpad support
These touchpads use a different protocol; they have been seen on Dell
N5110, Dell 17R SE, and others.
The official ALPS driver identifies them by looking for an exact match
on the E7 report: 73 03 50. Dolphin V1 returns an EC report of
73 01 xx (02 and 0d have been seen); Dolphin V2 returns an EC report of
73 02 xx (02 has been seen).
Dolphin V2 probably needs a different initialization sequence and/or
report parser, so it is left for a future commit.
Signed-off-by: Dave Turvene <dturvene@dahetral.com>
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
---
drivers/input/mouse/alps.c | 67 ++++++++++++++++++++++++++++++++++++++++++++--
drivers/input/mouse/alps.h | 1 +
2 files changed, 66 insertions(+), 2 deletions(-)
diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
index 9c97531..0238e0e 100644
--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -490,6 +490,29 @@ static void alps_decode_rushmore(struct alps_fields *f, unsigned char *p)
f->y_map |= (p[5] & 0x20) << 6;
}
+static void alps_decode_dolphin(struct alps_fields *f, unsigned char *p)
+{
+ f->first_mp = !!(p[0] & 0x02);
+ f->is_mp = !!(p[0] & 0x20);
+
+ f->fingers = ((p[0] & 0x6) >> 1 |
+ (p[0] & 0x10) >> 2);
+ f->x_map = ((p[2] & 0x60) >> 5) |
+ ((p[4] & 0x7f) << 2) |
+ ((p[5] & 0x7f) << 9) |
+ ((p[3] & 0x07) << 16) |
+ ((p[3] & 0x70) << 15) |
+ ((p[0] & 0x01) << 22);
+ f->y_map = (p[1] & 0x7f) |
+ ((p[2] & 0x1f) << 7);
+
+ f->x = ((p[1] & 0x7f) | ((p[4] & 0x0f) << 7));
+ f->y = ((p[2] & 0x7f) | ((p[4] & 0xf0) << 3));
+ f->z = (p[0] & 4) ? 0 : p[5] & 0x7f;
+
+ alps_decode_buttons_v3(f, p);
+}
+
static void alps_process_touchpad_packet_v3(struct psmouse *psmouse)
{
struct alps_data *priv = psmouse->private;
@@ -874,7 +897,8 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
}
/* Bytes 2 - pktsize should have 0 in the highest bit */
- if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
+ if (priv->proto_version != ALPS_PROTO_V5 &&
+ psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
(psmouse->packet[psmouse->pktcnt - 1] & 0x80)) {
psmouse_dbg(psmouse, "refusing packet[%i] = %x\n",
psmouse->pktcnt - 1,
@@ -1003,7 +1027,8 @@ static int alps_enter_command_mode(struct psmouse *psmouse)
return -1;
}
- if (param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) {
+ if ((param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) &&
+ param[0] != 0x73) {
psmouse_dbg(psmouse,
"unknown response while entering command mode\n");
return -1;
@@ -1495,6 +1520,23 @@ error:
return -1;
}
+static int alps_hw_init_dolphin_v1(struct psmouse *psmouse)
+{
+ struct ps2dev *ps2dev = &psmouse->ps2dev;
+ unsigned char param[2];
+
+ /* This is dolphin "v1" as empirically defined by florin9doi */
+ param[0] = 0x64;
+ param[1] = 0x28;
+
+ if (ps2_command(ps2dev, NULL, PSMOUSE_CMD_SETSTREAM) ||
+ ps2_command(ps2dev, &param[0], PSMOUSE_CMD_SETRATE) ||
+ ps2_command(ps2dev, &param[1], PSMOUSE_CMD_SETRATE))
+ return -1;
+
+ return 0;
+}
+
static void alps_set_defaults(struct alps_data *priv)
{
priv->byte0 = 0x8f;
@@ -1528,6 +1570,21 @@ static void alps_set_defaults(struct alps_data *priv)
priv->nibble_commands = alps_v4_nibble_commands;
priv->addr_command = PSMOUSE_CMD_DISABLE;
break;
+ case ALPS_PROTO_V5:
+ priv->hw_init = alps_hw_init_dolphin_v1;
+ priv->process_packet = alps_process_packet_v3;
+ priv->decode_fields = alps_decode_dolphin;
+ priv->set_abs_params = alps_set_abs_params_mt;
+ priv->nibble_commands = alps_v3_nibble_commands;
+ priv->addr_command = PSMOUSE_CMD_RESET_WRAP;
+ priv->byte0 = 0xc8;
+ priv->mask0 = 0xc8;
+ priv->flags = 0;
+ priv->x_max = 1360;
+ priv->y_max = 660;
+ priv->x_bits = 23;
+ priv->y_bits = 12;
+ break;
}
}
@@ -1588,6 +1645,12 @@ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
if (alps_match_table(psmouse, priv, e7, ec) == 0) {
return 0;
+ } else if (e7[0] == 0x73 && e7[1] == 0x03 && e7[2] == 0x50 &&
+ ec[0] == 0x73 && ec[1] == 0x01) {
+ priv->proto_version = ALPS_PROTO_V5;
+ alps_set_defaults(priv);
+
+ return 0;
} else if (ec[0] == 0x88 && ec[1] == 0x08) {
priv->proto_version = ALPS_PROTO_V3;
alps_set_defaults(priv);
diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h
index 9704805..eee5985 100644
--- a/drivers/input/mouse/alps.h
+++ b/drivers/input/mouse/alps.h
@@ -16,6 +16,7 @@
#define ALPS_PROTO_V2 2
#define ALPS_PROTO_V3 3
#define ALPS_PROTO_V4 4
+#define ALPS_PROTO_V5 5
/**
* struct alps_model_info - touchpad ID table
--
1.8.1.2

View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and # For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
# #
%global baserelease 3 %global baserelease 1
%global fedora_build %{baserelease} %global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching # base_sublevel is the kernel version we're starting with and patching
@ -95,7 +95,7 @@ Summary: The Linux kernel
# The rc snapshot level # The rc snapshot level
%define rcrev 2 %define rcrev 2
# The git snapshot level # The git snapshot level
%define gitrev 0 %define gitrev 1
# Set rpm version accordingly # Set rpm version accordingly
%define rpmversion 3.%{upstream_sublevel}.0 %define rpmversion 3.%{upstream_sublevel}.0
%endif %endif
@ -724,27 +724,15 @@ Patch21247: ath9k_rx_dma_stop_check.patch
#rhbz 844750 #rhbz 844750
Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
#rhbz 812111
Patch21260: alps-v2.patch
#rhbz 903192 #rhbz 903192
Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
#rhbz 914737 #rhbz 914737
Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
# CVE-2013-1792 rhbz 916646,919021
Patch21267: keys-fix-race-with-concurrent-install_user_keyrings.patch
#rhbz 857954 #rhbz 857954
Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch
#rhbz 911771
Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
#CVE-2013-0914 rhbz 920499 920510
Patch21270: signal-always-clear-sa_restorer-on-execve.patch
#CVE-2013-0913 rhbz 920471 920529 #CVE-2013-0913 rhbz 920471 920529
Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
@ -1434,27 +1422,15 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
#rhbz 844750 #rhbz 844750
ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
#rhbz 812111
ApplyPatch alps-v2.patch
#rhbz 903192 #rhbz 903192
ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
#rhbz 914737 #rhbz 914737
ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
# CVE-2013-1792 rhbz 916646,919021
ApplyPatch keys-fix-race-with-concurrent-install_user_keyrings.patch
#rhbz 857954 #rhbz 857954
ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch
#rhbz 911771
ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
#CVE-2013-0914 rhbz 920499 920510
ApplyPatch signal-always-clear-sa_restorer-on-execve.patch
#CVE-2013-0913 rhbz 920471 920529 #CVE-2013-0913 rhbz 920471 920529
ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
@ -2303,6 +2279,10 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Fri Mar 15 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc2.git1.1
- Linux v3.9-rc2-292-ga2362d2
- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
* Thu Mar 14 2013 Dave Jones <davej@redhat.com> * Thu Mar 14 2013 Dave Jones <davej@redhat.com>
- Move cpufreq drivers to be modular (rhbz 746372) - Move cpufreq drivers to be modular (rhbz 746372)

View File

@ -1,15 +0,0 @@
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index 58dfe08..c5ec083 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -57,7 +57,7 @@ int install_user_keyrings(void)
kenter("%p{%u}", user, uid);
- if (user->uid_keyring) {
+ if (user->uid_keyring && user->session_keyring) {
kleave(" = 0 [exist]");
return 0;
}

View File

@ -1,40 +1,3 @@
commit 801d929ca7d935ee199fd61d8ef914f51e892270
Author: Felix Fietkau <nbd@openwrt.org>
Date: Sat Mar 2 19:05:47 2013 +0100
mac80211: another fix for idle handling in monitor mode
When setting a monitor interface up or down, the idle state needs to be
recalculated, otherwise the hardware will just stay in its previous idle
state.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 640afab..baaa860 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -541,6 +541,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
ieee80211_adjust_monitor_flags(sdata, 1);
ieee80211_configure_filter(local);
+ mutex_lock(&local->mtx);
+ ieee80211_recalc_idle(local);
+ mutex_unlock(&local->mtx);
netif_carrier_on(dev);
break;
@@ -812,6 +815,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
ieee80211_adjust_monitor_flags(sdata, -1);
ieee80211_configure_filter(local);
+ mutex_lock(&local->mtx);
+ ieee80211_recalc_idle(local);
+ mutex_unlock(&local->mtx);
break;
case NL80211_IFTYPE_P2P_DEVICE:
/* relies on synchronize_rcu() below */
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index baaa860..7a3d675 100644 index baaa860..7a3d675 100644
--- a/net/mac80211/iface.c --- a/net/mac80211/iface.c

View File

@ -1,63 +0,0 @@
From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Fri, 8 Mar 2013 21:13:52 -0500
Subject: [PATCH] serial: 8250: Keep 8250.<xxxx> module options functional
after driver rename
With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the
8250 driver was renamed to 8250_core. This means any existing usage of
the 8259.<xxxx> module parameters or as a kernel command line switch is
now broken, as the 8250_core driver doesn't parse options belonging to
something called "8250".
To solve this, we redefine the module options in a dummy function using
a redefined MODULE_PARAM_PREFX when built into the kernel. In the case
where we're building as a module, we provide an alias to the old 8250
name. The dummy function prevents compiler errors due to global variable
redefinitions that happen as part of the module_param_ macro expansions.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
---
drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c
index 0efc815..f982633 100644
--- a/drivers/tty/serial/8250/8250.c
+++ b/drivers/tty/serial/8250/8250.c
@@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444);
MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
#endif
MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR);
+
+#ifndef MODULE
+/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name
+ * working as well for the module options so we don't break people. We
+ * need to keep the names identical and the convenient macros will happily
+ * refuse to let us do that by failing the build with redefinition errors
+ * of global variables. So we stick them inside a dummy function to avoid
+ * those conflicts. The options still get parsed, and the redefined
+ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive.
+ *
+ * This is hacky. I'm sorry.
+ */
+static void __used s8250_options(void)
+{
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "8250."
+
+ module_param_cb(share_irqs, &param_ops_uint, &share_irqs, 0644);
+ module_param_cb(nr_uarts, &param_ops_uint, &nr_uarts, 0644);
+ module_param_cb(skip_txen_test, &param_ops_uint, &skip_txen_test, 0644);
+#ifdef CONFIG_SERIAL_8250_RSA
+ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa,
+ &param_array_ops, .arr = &__param_arr_probe_rsa,
+ 0444, -1);
+#endif
+}
+#else
+MODULE_ALIAS("8250");
+#endif
--
1.8.1.2

View File

@ -1,113 +0,0 @@
Delivered-To: jwboyer@gmail.com
Received: by 10.76.169.233 with SMTP id ah9csp99159oac;
Mon, 11 Mar 2013 13:14:17 -0700 (PDT)
X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671;
Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10;
Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1754069Ab3CKUN4 (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
Mon, 11 Mar 2013 16:13:56 -0400
Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net"
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
id S1753913Ab3CKUN4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
Mon, 11 Mar 2013 16:13:56 -0400
Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201;
Mon, 11 Mar 2013 13:13:43 -0700
Date: Mon, 11 Mar 2013 13:13:42 -0700
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>, Oleg Nesterov <oleg@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Emese Revfy <re.emese@gmail.com>,
PaX Team <pageexec@freemail.hu>, jln@google.com
Subject: [PATCH v2] signal: always clear sa_restorer on execve
Message-ID: <20130311201342.GA19824@www.outflux.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
When the new signal handlers are set up, the location of sa_restorer
is not cleared, leaking a parent process's address space location to
children. This allows for a potential bypass of the parent's ASLR by
examining the sa_restorer value returned when calling sigaction().
Based on what should be considered "secret" about addresses, it only
matters across the exec not the fork (since the VMAs haven't changed
until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
this is where it should be fixed.
Given the few uses of sa_restorer, a "set" function was not written
since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER,
as already done in other places.
Example of the leak before applying this patch:
$ cat /proc/$$/maps
...
7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
...
$ ./leak
...
7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
...
1 0 (nil) 0x7fb9f30b94a0
2 4000000 (nil) 0x7f278bcaa4a0
3 4000000 (nil) 0x7f278bcaa4a0
4 0 (nil) 0x7fb9f30b94a0
...
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Emese Revfy <re.emese@gmail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: PaX Team <pageexec@freemail.hu>
Cc: stable@vger.kernel.org
---
v2:
- clarify commit, explain use of #ifdef.
---
kernel/signal.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/signal.c b/kernel/signal.c
index 2ec870a..8c8e3ca 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
if (force_default || ka->sa.sa_handler != SIG_IGN)
ka->sa.sa_handler = SIG_DFL;
ka->sa.sa_flags = 0;
+#ifdef __ARCH_HAS_SA_RESTORER
+ ka->sa.sa_restorer = NULL;
+#endif
sigemptyset(&ka->sa.sa_mask);
ka++;
}
--
1.7.9.5
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

View File

@ -1,2 +1,3 @@
1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz
519f8799f8cf9aae2f05ba8fadc43bd1 patch-3.9-rc2.xz 519f8799f8cf9aae2f05ba8fadc43bd1 patch-3.9-rc2.xz
813d50e12eb677a04e4a2743cc54242d patch-3.9-rc2-git1.xz