linux/arch/powerpc/kernel
Amanieu d'Antras 3c00cb5e68 signal: fix information leak in copy_siginfo_from_user32
This function can leak kernel stack data when the user siginfo_t has a
positive si_code value.  The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.

copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.

This fixes the following information leaks:
x86:   8 bytes leaked when sending a signal from a 32-bit process to
       itself. This leak grows to 16 bytes if the process uses x32.
       (si_code = __SI_CHLD)
x86:   100 bytes leaked when sending a signal from a 32-bit process to
       a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
       64-bit process. (si_code = any)

parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
to a different process.  These bugs are also fixed for consistency.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-08-07 04:39:40 +03:00
..
vdso32 powerpc: 32 bit getcpu VDSO function uses 64 bit instructions 2014-11-27 09:42:12 +11:00
vdso64 powerpc/booke64: Use SPRG7 for VDSO 2014-03-19 19:57:14 -05:00
.gitignore
Makefile Devicetree changes for v4.2 2015-07-01 19:40:18 -07:00
align.c powerpc: Remove double braces in alignment code. 2014-11-10 09:59:32 +11:00
asm-offsets.c powerpc/kernel: Rename PACA_DSCR to PACA_DSCR_DEFAULT 2015-06-07 19:29:00 +10:00
audit.c
btext.c powerpc/btext: Fix CONFIG_PPC_EARLY_DEBUG_BOOTX on ppc32 2013-08-27 16:01:23 +10:00
cacheinfo.c powerpc: Fix missing L2 cache size in /sys/devices/system/cpu 2015-04-11 20:49:28 +10:00
cacheinfo.h
compat_audit.c
cpu_setup_6xx.S
cpu_setup_44x.S
cpu_setup_fsl_booke.S powerpc/booke: Restrict SPE exception handlers to e200/e500 cores 2014-09-22 10:11:31 +02:00
cpu_setup_pa6t.S
cpu_setup_power.S powerpc/book3s: Fix flush_tlb cpu_spec hook to take a generic argument. 2015-03-17 07:52:48 +11:00
cpu_setup_ppc970.S
cputable.c powerpc/tm: Abort syscalls in active transactions 2015-06-19 17:10:28 +10:00
crash.c arch,powerpc: Convert smp_mb__*() 2014-04-18 14:20:41 +02:00
crash_dump.c powerpc: Remove superfluous bootmem includes 2014-11-10 09:59:26 +11:00
dbell.c powerpc/powernv: Fixes for hypervisor doorbell handling 2015-03-20 14:51:53 +11:00
dma-iommu.c powerpc/iommu: Rename iommu_[un]map_sg functions 2014-11-18 11:30:01 +01:00
dma-swiotlb.c powerpc: fsl_pci, swiotlb: Move controller ops from ppc_md to controller_ops 2015-04-11 20:49:17 +10:00
dma.c powerpc/pci: add dma_set_mask to pci_controller_ops 2015-06-02 13:18:49 +10:00
eeh.c powerpc/eeh/ioda2: Use device::iommu_group to check IOMMU group 2015-06-11 15:14:54 +10:00
eeh_cache.c powerpc/eeh: fix start/end/flags type in struct pci_io_addr_range{} 2015-05-13 14:00:07 +10:00
eeh_dev.c powerpc/eeh: Create eeh_dev from pci_dn instead of device_node 2015-03-24 13:15:51 +11:00
eeh_driver.c powerpc/eeh: fix comment for wait_state() 2015-05-13 14:00:07 +10:00
eeh_event.c powerpc/powernv: Fix killed EEH event 2014-06-11 17:04:33 +10:00
eeh_pe.c powerpc/eeh: Fix PE#0 check in eeh_add_to_parent_pe() 2015-03-31 13:10:39 +11:00
eeh_sysfs.c powerpc/eeh: Fix PE state format 2014-11-27 09:32:58 +11:00
entry_32.S powerpc: Remove old compile time disabled syscall tracing code 2015-02-02 14:51:32 +11:00
entry_64.S powerpc/tm: Abort syscalls in active transactions 2015-06-19 17:10:28 +10:00
epapr_hcalls.S powerpc: Add paravirt idle loop for 64-bit Book-E 2013-03-13 14:19:36 -05:00
epapr_paravirt.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2014-06-10 18:54:22 -07:00
exceptions-64e.S powerpc/booke: Revert SPE/AltiVec common defines for interrupt numbers 2014-09-22 10:11:31 +02:00
exceptions-64s.S powerpc: Non relocatable system call doesn't need a trampoline 2015-06-02 13:26:47 +10:00
fadump.c powerpc/fadump: Fix endianess issues in firmware assisted dump handling 2014-10-30 16:52:46 +11:00
firmware.c
fpu.S powerpc: Don't corrupt transactional state when using FP/VMX in kernel 2014-01-15 13:59:11 +11:00
fsl_booke_entry_mapping.S powerpc: enable the relocatable support for the fsl booke 32bit kernel 2014-01-09 17:52:16 -06:00
ftrace.c powerpc updates for 3.19 2014-12-11 17:48:14 -08:00
head_8xx.S powerpc/8xx: Implementation of PAGE_EXEC 2015-06-02 21:37:28 -05:00
head_32.S
head_40x.S powerpc: Remove check for CONFIG_SERIAL_TEXT_DEBUG 2014-06-11 16:31:21 +10:00
head_44x.S powerpc/ppc476: Disable BTAC 2014-08-13 15:13:42 +10:00
head_64.S Merge remote-tracking branch 'scott/next' into next 2014-08-05 14:13:41 +10:00
head_booke.h powerpc: Fix interrupt range check on debug exception 2013-05-02 10:31:01 +10:00
head_fsl_booke.S powerpc/booke: Revert SPE/AltiVec common defines for interrupt numbers 2014-09-22 10:11:31 +02:00
hw_breakpoint.c powerpc: Replace __get_cpu_var uses 2014-11-03 12:12:32 +11:00
ibmebus.c powerpc: make of_device_ids const 2014-09-25 23:14:46 +10:00
idle.c powerpc/idle: Convert use of typedef ctl_table to struct ctl_table 2013-07-01 11:10:35 +10:00
idle_6xx.S powerpc: Use CURRENT_THREAD_INFO instead of open coded assembly 2012-07-11 14:18:22 +10:00
idle_book3e.S powerpc: No need to use dot symbols when branching to a function 2014-04-23 10:05:16 +10:00
idle_e500.S powerpc/e500mc: Remove dead L2 flushing code in idle_e500.S 2015-06-02 21:37:19 -05:00
idle_power4.S powerpc: No need to use dot symbols when branching to a function 2014-04-23 10:05:16 +10:00
idle_power7.S powerpc/powernv: Fix race in updating core_idle_state 2015-07-07 10:16:52 +10:00
io-workarounds.c powerpc/mm/thp: Make page table walk safe against thp split/collapse 2015-04-17 11:23:39 +10:00
io.c powerpc/powernv: Add PIO accessors for Power8 LPC bus 2013-08-14 14:58:08 +10:00
iomap.c powerpc/kerenl: Enable EEH for IO accessors 2014-06-24 12:43:13 +10:00
iommu.c powerpc/iommu/powernv: Release replaced TCE 2015-06-11 15:16:49 +10:00
irq.c powerpc: Remove superfluous bootmem includes 2014-11-10 09:59:26 +11:00
isa-bridge.c POWERPC: drivers: remove __dev* attributes. 2013-01-03 15:57:04 -08:00
jump_label.c
kgdb.c powerpc: Replace __get_cpu_var uses 2014-11-03 12:12:32 +11:00
kprobes.c powerpc: Replace __get_cpu_var uses 2014-11-03 12:12:32 +11:00
kvm.c At over 200 commits, covering almost all supported architectures, this 2014-06-04 08:47:12 -07:00
kvm_emul.S
l2cr_6xx.S
legacy_serial.c powerpc: make of_device_ids const 2014-09-25 23:14:46 +10:00
machine_kexec.c powerpc: Fix endian issues in kexec and crash dump code 2014-02-11 11:24:52 +11:00
machine_kexec_32.c
machine_kexec_64.c kexec: add IND_FLAGS macro 2015-02-17 14:34:51 -08:00
mce.c powerpc/mce: fix off by one errors in mce event handling 2015-05-12 19:44:01 +10:00
mce_power.c powerpc/book3s: Fix flush_tlb cpu_spec hook to take a generic argument. 2015-03-17 07:52:48 +11:00
misc.S powerpc: Rename __get_SP() to current_stack_pointer() 2014-10-15 11:23:20 +11:00
misc_32.S powerpc: Set the correct ksp_limit on ppc32 when switching to irq stack 2014-02-17 11:19:34 +11:00
misc_64.S powerpc: module: handle MODVERSION for .TOC. 2014-04-23 10:05:28 +10:00
module.c powerpc: Move local setup.h declarations to arch includes 2013-10-30 16:00:31 +11:00
module_32.c powerpc: Use pr_fmt in module loader code 2014-10-02 17:33:54 +10:00
module_64.c powerpc: Use pr_fmt in module loader code 2014-10-02 17:33:54 +10:00
msi.c powerpc: Remove MSI-related PCI controller ops from ppc_md 2015-06-02 11:47:45 +10:00
nvram_64.c powerpc/rtas: Make timestamp related code y2038-safe 2015-03-23 14:06:11 +11:00
of_platform.c powerpc/eeh: Do probe on pci_dn 2015-03-24 13:15:52 +11:00
paca.c powerpc/kernel: Avoid memory corruption at early stage 2015-01-23 14:02:52 +11:00
pci-common.c powerpc/pci: Add pcibios_disable_device() hook 2015-06-03 13:27:16 +10:00
pci-hotplug.c powerpc/pci: Add release_device() hook to phb ops 2015-06-03 13:27:15 +10:00
pci_32.c powerpc: Remove more traces of bootmem 2014-11-19 21:41:51 +11:00
pci_64.c powerpc updates for 3.19 2014-12-11 17:48:14 -08:00
pci_dn.c powerpc/powernv: Shift VF resource with an offset 2015-03-31 13:02:38 +11:00
pci_of_scan.c powerpc: Remove shims for pci_controller_ops operations 2015-04-11 20:49:18 +10:00
pmc.c
ppc32.h powerpc: switch to generic old sigaction() 2013-02-03 18:16:10 -05:00
ppc_ksyms.c powerpc: Rename __get_SP() to current_stack_pointer() 2014-10-15 11:23:20 +11:00
ppc_ksyms_32.c powerpc: Separate ppc32 symbol exports into ppc_ksyms_32.c 2014-09-25 23:14:40 +10:00
ppc_save_regs.S
proc_powerpc.c proc_powerpc: switch to fixed_size_llseek() 2013-06-29 12:57:50 +04:00
process.c powerpc/kernel: Remove the unused extern dscr_default 2015-06-07 19:27:26 +10:00
prom.c arm64 updates for 4.2, mostly refactoring/clean-up: 2015-06-24 10:02:15 -07:00
prom_init.c PCI: Remove unnecessary #includes of <asm/pci.h> 2015-06-08 07:56:09 -05:00
prom_init_check.sh powerpc: Simplify symbol check in prom_init_check.sh 2014-09-25 23:14:46 +10:00
prom_parse.c powerpc: of_parse_dma_window should take a __be32 *dma_window 2013-08-14 15:33:26 +10:00
ptrace.c Merge git://git.infradead.org/users/eparis/audit 2014-10-19 16:25:56 -07:00
ptrace32.c powerpc: move debug registers in a structure 2013-10-18 18:44:49 -05:00
reloc_32.S powerpc: Don't flush/invalidate the d/icache for an unknown relocation type 2013-07-01 11:10:34 +10:00
reloc_64.S powerpc: Align p_dyn, p_rela and p_st symbols 2014-03-07 13:50:19 +11:00
rtas-proc.c powerpc: LLVM complains about forward declaration of struct rtas_sensors 2014-11-10 09:59:32 +11:00
rtas-rtc.c
rtas.c powerpc: Replace mem_init_done with slab_is_available() 2015-04-10 20:02:48 +10:00
rtas_flash.c powerpc: Fix endianness of flash_block_list in rtas_flash 2014-07-28 11:30:54 +10:00
rtas_pci.c powerpc: move find_and_init_phbs() to pSeries specific code 2015-04-11 20:49:09 +10:00
rtasd.c powerpc: Make a bunch of things static 2014-09-25 23:14:41 +10:00
setup-common.c powerpc: Convert power off logic to pm_power_off 2014-11-03 12:12:51 +11:00
setup_32.c powerpc: Remove unused vgacon_remap_base & fix build break 2014-11-10 09:59:31 +11:00
setup_64.c powerpc/mmu: Add userspace-to-physical addresses translation cache 2015-06-11 15:16:54 +10:00
signal.c powerpc: Use sigsp() 2014-08-06 13:04:32 +02:00
signal.h powerpc: Use get_signal() signal_setup_done() 2014-08-06 13:03:09 +02:00
signal_32.c signal: fix information leak in copy_siginfo_from_user32 2015-08-07 04:39:40 +03:00
signal_64.c all arches, signal: move restart_block to struct task_struct 2015-02-12 18:54:12 -08:00
smp-tbsync.c powerpc: Delete non-required instances of include <linux/init.h> 2014-01-15 13:46:44 +11:00
smp.c powerpc/smp: Wait until secondaries are active & online 2015-03-04 13:19:33 +11:00
stacktrace.c powerpc: Rename __get_SP() to current_stack_pointer() 2014-10-15 11:23:20 +11:00
suspend.c nosave: consolidate __nosave_{begin,end} in <asm/sections.h> 2014-10-09 22:26:04 -04:00
swsusp.c
swsusp_32.S
swsusp_64.c
swsusp_asm64.S powerpc: Only save/restore SDR1 if in hypervisor mode 2013-10-31 12:37:29 +11:00
swsusp_booke.S powerpc/fsl-booke: Use SPRN_SPRGn rather than mfsprg/mtsprg 2014-01-07 19:06:03 -06:00
sys_ppc32.c unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE 2013-05-09 13:46:38 -04:00
syscalls.c powerpc: Add a proper syscall for switching endianness 2015-03-28 22:03:40 +11:00
sysfs.c powerpc/dscr: Add some in-code documentation 2015-06-07 19:29:15 +10:00
systbl.S powerpc: Add a proper syscall for switching endianness 2015-03-28 22:03:40 +11:00
systbl_chk.c powerpc: Add a proper syscall for switching endianness 2015-03-28 22:03:40 +11:00
systbl_chk.sh
tau_6xx.c
time.c powerpc: use device_initcall for registering rtc devices 2015-06-16 14:12:29 -04:00
tm.S powerpc/kernel: Rename PACA_DSCR to PACA_DSCR_DEFAULT 2015-06-07 19:29:00 +10:00
traps.c powerpc: Set the correct kernel taint on machine check errors. 2015-07-06 20:24:35 +10:00
udbg.c powerpc: Remove the celleb support 2015-04-07 17:15:13 +10:00
udbg_16550.c powerpc: Fix bad NULL pointer check in udbg_uart_getc_poll() 2014-11-12 13:47:20 +11:00
uprobes.c uprobes/powerpc: Kill arch_uprobe->ainsn 2013-11-20 16:31:01 +01:00
vdso.c powerpc/vdso: Disable building the 32-bit VDSO on little endian 2015-05-11 20:01:02 +10:00
vecemu.c powerpc: Put FP/VSX and VR state into structures 2013-10-11 17:26:49 +11:00
vector.S powerpc: Change vrX register defines to vX to match gcc and glibc 2015-03-16 18:32:11 +11:00
vio.c powerpc: use for_each_sg() 2015-06-24 17:49:38 -07:00
vmlinux.lds.S powerpc: Align TOC to 256 bytes 2015-05-14 16:59:21 +10:00