• Dan Rosenberg's avatar
    sys_semctl: fix kernel stack leakage · 982f7c2b
    Dan Rosenberg authored
    The semctl syscall has several code paths that lead to the leakage of
    uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
    IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
    version of the semid_ds struct.
    
    The copy_semid_to_user() function declares a semid_ds struct on the stack
    and copies it back to the user without initializing or zeroing the
    "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
    allowing the leakage of 16 bytes of kernel stack memory.
    
    The code is still reachable on 32-bit systems - when calling semctl()
    newer glibc's automatically OR the IPC command with the IPC_64 flag, but
    invoking the syscall directly allows users to use the older versions of
    the struct.
    Signed-off-by: default avatarDan Rosenberg <dan.j.rosenberg@gmail.com>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    982f7c2b
sem.c 40.3 KB