waitid(): Add missing access_ok() checks (CVE-2017-5123)
This commit is contained in:
parent
6f55d3e571
commit
35125947a2
|
@ -12,6 +12,7 @@ linux (4.13.4-2) UNRELEASED; urgency=medium
|
|||
* mac80211: fix deadlock in driver-managed RX BA session start.
|
||||
Thanks to Eric Côté (Closes: #878092)
|
||||
* KEYS: prevent KEYCTL_READ on negative key (CVE-2017-12192)
|
||||
* waitid(): Add missing access_ok() checks (CVE-2017-5123)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
|
||||
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Mon, 9 Oct 2017 11:36:52 -0700
|
||||
Subject: waitid(): Add missing access_ok() checks
|
||||
Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123
|
||||
|
||||
Adds missing access_ok() checks.
|
||||
|
||||
CVE-2017-5123
|
||||
|
||||
Reported-by: Chris Salls <chrissalls5@gmail.com>
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()")
|
||||
Cc: stable@kernel.org # 4.13
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/exit.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index f2cd53e92147..cf28528842bc 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid,
|
||||
if (!infop)
|
||||
return err;
|
||||
|
||||
+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
|
||||
+ goto Efault;
|
||||
+
|
||||
user_access_begin();
|
||||
unsafe_put_user(signo, &infop->si_signo, Efault);
|
||||
unsafe_put_user(0, &infop->si_errno, Efault);
|
||||
--
|
||||
2.15.0.rc0
|
||||
|
|
@ -124,6 +124,7 @@ bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
|||
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
||||
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
|
||||
bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch
|
||||
bugfix/all/waitid-Add-missing-access_ok-checks.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||
|
|
Loading…
Reference in New Issue