diff options
| author | Mathias Krause <minipli@googlemail.com> | 2014-10-04 23:06:39 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-11-14 08:48:00 -0800 |
| commit | f9b6264a0fdf9268e61a065177dde1c8f823dfc0 (patch) | |
| tree | 4bfad9ce9ea5601951296498ceddb44eea5db86b /arch/x86 | |
| parent | 9c31f4eca5d2633c78fb06be7d781583d4bf1cfa (diff) | |
| download | lwn-f9b6264a0fdf9268e61a065177dde1c8f823dfc0.tar.gz lwn-f9b6264a0fdf9268e61a065177dde1c8f823dfc0.zip | |
posix-timers: Fix stack info leak in timer_create()
commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream.
If userland creates a timer without specifying a sigevent info, we'll
create one ourself, using a stack local variable. Particularly will we
use the timer ID as sival_int. But as sigev_value is a union containing
a pointer and an int, that assignment will only partially initialize
sigev_value on systems where the size of a pointer is bigger than the
size of an int. On such systems we'll copy the uninitialized stack bytes
from the timer_create() call to userland when the timer actually fires
and we're going to deliver the signal.
Initialize sigev_value with 0 to plug the stack info leak.
Found in the PaX patch, written by the PaX Team.
Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...")
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch/x86')
0 files changed, 0 insertions, 0 deletions