fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732)
This commit is contained in:
parent
2222852cc1
commit
7fc7c96d6e
|
@ -10,6 +10,8 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
|
|||
* scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
|
||||
* USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
|
||||
* netlabel: cope with NULL catmap (CVE-2020-10711)
|
||||
* fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
|
||||
(CVE-2020-10732)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 May 2020 23:02:30 +0200
|
||||
|
||||
|
|
41
debian/patches/bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
vendored
Normal file
41
debian/patches/bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
vendored
Normal file
|
@ -0,0 +1,41 @@
|
|||
From: Alexander Potapenko <glider@google.com>
|
||||
Date: Wed, 27 May 2020 22:20:52 -0700
|
||||
Subject: fs/binfmt_elf.c: allocate initialized memory in
|
||||
fill_thread_core_info()
|
||||
Origin: https://git.kernel.org/linus/1d605416fb7175e1adf094251466caa52093b413
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-10732
|
||||
|
||||
KMSAN reported uninitialized data being written to disk when dumping
|
||||
core. As a result, several kilobytes of kmalloc memory may be written
|
||||
to the core file and then read by a non-privileged user.
|
||||
|
||||
Reported-by: sam <sunhaoyl@outlook.com>
|
||||
Signed-off-by: Alexander Potapenko <glider@google.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Acked-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: Alexey Dobriyan <adobriyan@gmail.com>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com
|
||||
Link: https://github.com/google/kmsan/issues/76
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/binfmt_elf.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
|
||||
index 13f25e241ac4..25d489bc9453 100644
|
||||
--- a/fs/binfmt_elf.c
|
||||
+++ b/fs/binfmt_elf.c
|
||||
@@ -1733,7 +1733,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
|
||||
(!regset->active || regset->active(t->task, regset) > 0)) {
|
||||
int ret;
|
||||
size_t size = regset_size(t->task, regset);
|
||||
- void *data = kmalloc(size, GFP_KERNEL);
|
||||
+ void *data = kzalloc(size, GFP_KERNEL);
|
||||
if (unlikely(!data))
|
||||
return 0;
|
||||
ret = regset->get(t->task, regset,
|
||||
--
|
||||
2.27.0.rc0
|
||||
|
|
@ -307,5 +307,6 @@ bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
|
|||
bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
|
||||
bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
|
||||
bugfix/all/netlabel-cope-with-NULL-catmap.patch
|
||||
bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
Loading…
Reference in New Issue