[PATCH] information leak in sigaltstack

Unfortunately the stack_t data structure was defined before people
cared much about 64-bit architectures.  It has a hole in the middle.
And this hole is creating an information leak in the sigaltstack
syscall.

When the second parameter to sigaltstack is non-NULL the current stack
information is passed to the caller by filling in the members of the
stack_t structure and then the whole structure is copied using
copy_to_user.  This unfortunately leaves the whole after flags
uninitialized.

The following patch should fix the issue.

Signed-off-by: Ulrich Drepper <drepper@xxxxxxxxxx>


diff --git a/kernel/signal.c b/kernel/signal.c
index ccf1cee..612d6b7 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2455,6 +2455,9 @@ do_sigaltstack (const stack_t __user *uss, stack_t __user 
*uoss, unsigned long s
        int error;
 
        if (uoss) {
+               if (offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags) !=
+                   offsetof(stack_t, ss_size))
+                       memset(&oss, '\0', sizeof(oss));
                oss.ss_sp = (void __user *) current->sas_ss_sp;
                oss.ss_size = current->sas_ss_size;
                oss.ss_flags = sas_ss_flags(sp);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/