Skip to content

Commit

Permalink
sys_semctl: fix kernel stack leakage
Browse files Browse the repository at this point in the history 
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.

The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.

The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.

Signed-off-by: Dan Rosenberg <[email protected]>
Cc: Manfred Spraul <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@torvalds
Dan Rosenberg authored and torvalds committed Oct 1, 2010
1 parent 64aab72 commit 982f7c2
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ipc/sem.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -743,6 +743,8 @@ static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in,
{
struct semid_ds out;

memset(&out, 0, sizeof(out));

ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);

out.sem_otime = in->sem_otime;
Expand Down

0 comments on commit 982f7c2

Please sign in to comment.