Re: [PATCH] fix infoleak in mm
From: Catalin Marinas
Date: Wed May 04 2016 - 06:31:38 EST
On Tue, May 03, 2016 at 04:36:08PM -0400, Kangjie Lu wrote:
> The stack object âsiâ has a total size of 128; however, only 20
> bytes are initialized. The remaining uninitialized bytes are sent
> to userland via send_signal
>
> Signed-off-by: Kangjie Lu <kjlu@xxxxxxxxxx>
> ---
> arch/arm64/mm/fault.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 95df28b..f790eda 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -117,6 +117,7 @@ static void __do_user_fault(struct task_struct *tsk, unsigned long addr,
> {
> struct siginfo si;
>
> + memset(&si, 0, sizeof(si));
> if (unhandled_signal(tsk, sig) && show_unhandled_signals_ratelimited()) {
> pr_info("%s[%d]: unhandled %s (%d) at 0x%08lx, esr 0x%03x\n",
> tsk->comm, task_pid_nr(tsk), fault_name(esr), sig,
I'm not convinced this is necessary. Have you actually seen such
information leak getting to user space? The actual writing of siginfo to
the user stack happens in copy_siginfo_to_user() (called from
setup_rt_frame) which should (at least in theory) only copy
pre-populated fields.
--
Catalin