[PATCH 3.10-rc7] Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation

Fri, 28 Jun 2013 06:51:05 -0700 

This __put_user() could be used by unprivileged processes to write into
kernel memory. The issue here is that even if copy_siginfo_to_user()
fails, the error code is not checked before __put_user() is executed.
Luckily, ptrace_peek_siginfo() has been added within the 3.10-rc cycle,
so it has not hit a stable release yet.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoy...@efficios.com>
CC: Andrey Vagin <ava...@openvz.org>
CC: Roland McGrath <rol...@redhat.com>
CC: Oleg Nesterov <o...@redhat.com>
CC: "Paul E. McKenney" <paul...@linux.vnet.ibm.com>
CC: David Howells <dhowe...@redhat.com>
CC: Dave Jones <da...@redhat.com>
CC: Pavel Emelyanov <xe...@parallels.com>
CC: Linus Torvalds <torva...@linux-foundation.org>
Cc: Pedro Alves <pal...@redhat.com>
CC: Andrew Morton <a...@linux-foundation.org>
CC: Linus Torvalds <torva...@linux-foundation.org>
---
 kernel/ptrace.c |   20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

Index: linux/kernel/ptrace.c
===================================================================
--- linux.orig/kernel/ptrace.c
+++ linux/kernel/ptrace.c
@@ -665,20 +665,22 @@ static int ptrace_peek_siginfo(struct ta
                if (unlikely(is_compat_task())) {
                        compat_siginfo_t __user *uinfo = compat_ptr(data);
 
-                       ret = copy_siginfo_to_user32(uinfo, &info);
-                       ret |= __put_user(info.si_code, &uinfo->si_code);
+                       if (copy_siginfo_to_user32(uinfo, &info) ||
+                           __put_user(info.si_code, &uinfo->si_code)) {
+                               ret = -EFAULT;
+                               break;
+                       }
+
                } else
 #endif
                {
                        siginfo_t __user *uinfo = (siginfo_t __user *) data;
 
-                       ret = copy_siginfo_to_user(uinfo, &info);
-                       ret |= __put_user(info.si_code, &uinfo->si_code);
-               }
-
-               if (ret) {
-                       ret = -EFAULT;
-                       break;
+                       if (copy_siginfo_to_user(uinfo, &info) ||
+                           __put_user(info.si_code, &uinfo->si_code)) {
+                               ret = -EFAULT;
+                               break;
+                       }
                }
 
                data += sizeof(siginfo_t);

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to