fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() (CVE-2020-10732)

debian/changelog

@@ -10,6 +10,8 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
   * scsi: sg: add sg_remove_request in sg_write (CVE-2020-12770)
   * USB: gadget: fix illegal array access in binding with UDC (CVE-2020-13143)
   * netlabel: cope with NULL catmap (CVE-2020-10711)
+  * fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
+    (CVE-2020-10732)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 May 2020 23:02:30 +0200
 

debian/patches/bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch

@@ -0,0 +1,41 @@
+From: Alexander Potapenko <glider@google.com>
+Date: Wed, 27 May 2020 22:20:52 -0700
+Subject: fs/binfmt_elf.c: allocate initialized memory in
+ fill_thread_core_info()
+Origin: https://git.kernel.org/linus/1d605416fb7175e1adf094251466caa52093b413
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-10732
+
+KMSAN reported uninitialized data being written to disk when dumping
+core.  As a result, several kilobytes of kmalloc memory may be written
+to the core file and then read by a non-privileged user.
+
+Reported-by: sam <sunhaoyl@outlook.com>
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com
+Link: https://github.com/google/kmsan/issues/76
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/binfmt_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 13f25e241ac4..25d489bc9453 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1733,7 +1733,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t,
+ 		    (!regset->active || regset->active(t->task, regset) > 0)) {
+ 			int ret;
+ 			size_t size = regset_size(t->task, regset);
+-			void *data = kmalloc(size, GFP_KERNEL);
++			void *data = kzalloc(size, GFP_KERNEL);
+ 			if (unlikely(!data))
+ 				return 0;
+ 			ret = regset->get(t->task, regset,
+-- 
+2.27.0.rc0
+

debian/patches/series

@@ -307,5 +307,6 @@ bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
 bugfix/all/scsi-sg-add-sg_remove_request-in-sg_write.patch
 bugfix/all/usb-gadget-fix-illegal-array-access-in-binding-with-.patch
 bugfix/all/netlabel-cope-with-NULL-catmap.patch
+bugfix/all/fs-binfmt_elf.c-allocate-initialized-memory-in-fill_.patch
 
 # ABI maintenance