diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2020-06-09 18:57:31 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2020-06-09 18:57:31 +0100 |
| commit | d71ae8c6f690453efd54b10b2dec6bb601103dfe (patch) | |
| tree | f1172605d88464e2431bc67dd0f657eca4ba2c19 | |
| parent | 534b67c46042059501de7c44256f1c249ede56c4 (diff) | |
| download | linux-stable-queue-d71ae8c6f690453efd54b10b2dec6bb601103dfe.tar.gz | |
The known information leak on x86 systems does not exist here, but
some more obscure architectures appear to have similar leaks.
| -rw-r--r-- | queue-3.16/fs-binfmt_elf.c-allocate-initialized-memory-in.patch | 37 | ||||
| -rw-r--r-- | queue-3.16/series | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/queue-3.16/fs-binfmt_elf.c-allocate-initialized-memory-in.patch b/queue-3.16/fs-binfmt_elf.c-allocate-initialized-memory-in.patch new file mode 100644 index 00000000..736e9f4d --- /dev/null +++ b/queue-3.16/fs-binfmt_elf.c-allocate-initialized-memory-in.patch @@ -0,0 +1,37 @@ +From: Alexander Potapenko <glider@google.com> +Date: Wed, 27 May 2020 22:20:52 -0700 +Subject: fs/binfmt_elf.c: allocate initialized memory in + fill_thread_core_info() + +commit 1d605416fb7175e1adf094251466caa52093b413 upstream. + +KMSAN reported uninitialized data being written to disk when dumping +core. As a result, several kilobytes of kmalloc memory may be written +to the core file and then read by a non-privileged user. + +Reported-by: sam <sunhaoyl@outlook.com> +Signed-off-by: Alexander Potapenko <glider@google.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Acked-by: Kees Cook <keescook@chromium.org> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Cc: Alexey Dobriyan <adobriyan@gmail.com> +Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com +Link: https://github.com/google/kmsan/issues/76 +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[bwh: Backported to 3.16: adjust context] +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + fs/binfmt_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -1575,7 +1575,7 @@ static int fill_thread_core_info(struct + (!regset->active || regset->active(t->task, regset) > 0)) { + int ret; + size_t size = regset->n * regset->size; +- void *data = kmalloc(size, GFP_KERNEL); ++ void *data = kzalloc(size, GFP_KERNEL); + if (unlikely(!data)) + return 0; + ret = regset->get(t->task, regset, diff --git a/queue-3.16/series b/queue-3.16/series index 6a88cc2c..cb72f717 100644 --- a/queue-3.16/series +++ b/queue-3.16/series @@ -58,3 +58,4 @@ x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch x86-speculation-add-ivy-bridge-to-affected-list.patch random-always-use-batched-entropy-for-get_random_u-32-64.patch +fs-binfmt_elf.c-allocate-initialized-memory-in.patch |