• Nelson Elhage's avatar
    do_exit(): make sure that we run with get_fs() == USER_DS · 33dd94ae
    Nelson Elhage authored
    If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
    otherwise reset before do_exit().  do_exit may later (via mm_release in
    fork.c) do a put_user to a user-controlled address, potentially allowing
    a user to leverage an oops into a controlled write into kernel memory.
    
    This is only triggerable in the presence of another bug, but this
    potentially turns a lot of DoS bugs into privilege escalations, so it's
    worth fixing.  I have proof-of-concept code which uses this bug along
    with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
    I've tested that this is not theoretical.
    
    A more logical place to put this fix might be when we know an oops has
    occurred, before we call do_exit(), but that would involve changing
    every architecture, in multiple places.
    
    Let's just stick it in do_exit instead.
    
    [akpm@linux-foundation.org: update code comment]
    Signed-off-by: default avatarNelson Elhage <nelhage@ksplice.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: <stable@kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    33dd94ae
exit.c 44.4 KB