|
|
18917ef |
|
|
|
18917ef |
Delivered-To: jwboyer@gmail.com
|
|
|
18917ef |
Received: by 10.76.169.233 with SMTP id ah9csp99159oac;
|
|
|
18917ef |
Mon, 11 Mar 2013 13:14:17 -0700 (PDT)
|
|
|
18917ef |
X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671;
|
|
|
18917ef |
Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
|
|
|
18917ef |
Return-Path: <linux-kernel-owner@vger.kernel.org>
|
|
|
18917ef |
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
|
|
18917ef |
by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10;
|
|
|
18917ef |
Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
|
|
|
18917ef |
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
|
|
18917ef |
Authentication-Results: mx.google.com;
|
|
|
18917ef |
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
|
|
|
18917ef |
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
|
|
18917ef |
id S1754069Ab3CKUN4 (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
|
|
|
18917ef |
Mon, 11 Mar 2013 16:13:56 -0400
|
|
|
18917ef |
Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net"
|
|
|
18917ef |
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
|
|
18917ef |
id S1753913Ab3CKUN4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
|
|
|
18917ef |
Mon, 11 Mar 2013 16:13:56 -0400
|
|
|
18917ef |
Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
|
|
|
18917ef |
by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201;
|
|
|
18917ef |
Mon, 11 Mar 2013 13:13:43 -0700
|
|
|
18917ef |
Date: Mon, 11 Mar 2013 13:13:42 -0700
|
|
|
18917ef |
From: Kees Cook <keescook@chromium.org>
|
|
|
18917ef |
To: linux-kernel@vger.kernel.org
|
|
|
18917ef |
Cc: Al Viro <viro@zeniv.linux.org.uk>, Oleg Nesterov <oleg@redhat.com>,
|
|
|
18917ef |
Andrew Morton <akpm@linux-foundation.org>,
|
|
|
18917ef |
"Eric W. Biederman" <ebiederm@xmission.com>,
|
|
|
18917ef |
Serge Hallyn <serge.hallyn@canonical.com>,
|
|
|
18917ef |
Emese Revfy <re.emese@gmail.com>,
|
|
|
18917ef |
PaX Team <pageexec@freemail.hu>, jln@google.com
|
|
|
18917ef |
Subject: [PATCH v2] signal: always clear sa_restorer on execve
|
|
|
18917ef |
Message-ID: <20130311201342.GA19824@www.outflux.net>
|
|
|
18917ef |
MIME-Version: 1.0
|
|
|
18917ef |
Content-Type: text/plain; charset=us-ascii
|
|
|
18917ef |
Content-Disposition: inline
|
|
|
18917ef |
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
|
|
|
18917ef |
X-HELO: www.outflux.net
|
|
|
18917ef |
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
|
|
|
18917ef |
Sender: linux-kernel-owner@vger.kernel.org
|
|
|
18917ef |
Precedence: bulk
|
|
|
18917ef |
List-ID: <linux-kernel.vger.kernel.org>
|
|
|
18917ef |
X-Mailing-List: linux-kernel@vger.kernel.org
|
|
|
18917ef |
|
|
|
18917ef |
When the new signal handlers are set up, the location of sa_restorer
|
|
|
18917ef |
is not cleared, leaking a parent process's address space location to
|
|
|
18917ef |
children. This allows for a potential bypass of the parent's ASLR by
|
|
|
18917ef |
examining the sa_restorer value returned when calling sigaction().
|
|
|
18917ef |
|
|
|
18917ef |
Based on what should be considered "secret" about addresses, it only
|
|
|
18917ef |
matters across the exec not the fork (since the VMAs haven't changed
|
|
|
18917ef |
until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
|
|
|
18917ef |
this is where it should be fixed.
|
|
|
18917ef |
|
|
|
18917ef |
Given the few uses of sa_restorer, a "set" function was not written
|
|
|
18917ef |
since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER,
|
|
|
18917ef |
as already done in other places.
|
|
|
18917ef |
|
|
|
18917ef |
Example of the leak before applying this patch:
|
|
|
18917ef |
|
|
|
18917ef |
$ cat /proc/$$/maps
|
|
|
18917ef |
...
|
|
|
18917ef |
7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
|
|
|
18917ef |
...
|
|
|
18917ef |
$ ./leak
|
|
|
18917ef |
...
|
|
|
18917ef |
7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
|
|
|
18917ef |
...
|
|
|
18917ef |
1 0 (nil) 0x7fb9f30b94a0
|
|
|
18917ef |
2 4000000 (nil) 0x7f278bcaa4a0
|
|
|
18917ef |
3 4000000 (nil) 0x7f278bcaa4a0
|
|
|
18917ef |
4 0 (nil) 0x7fb9f30b94a0
|
|
|
18917ef |
...
|
|
|
18917ef |
|
|
|
18917ef |
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
|
18917ef |
Reported-by: Emese Revfy <re.emese@gmail.com>
|
|
|
18917ef |
Cc: Emese Revfy <re.emese@gmail.com>
|
|
|
18917ef |
Cc: PaX Team <pageexec@freemail.hu>
|
|
|
18917ef |
Cc: stable@vger.kernel.org
|
|
|
18917ef |
---
|
|
|
18917ef |
v2:
|
|
|
18917ef |
- clarify commit, explain use of #ifdef.
|
|
|
18917ef |
---
|
|
|
18917ef |
kernel/signal.c | 3 +++
|
|
|
18917ef |
1 file changed, 3 insertions(+)
|
|
|
18917ef |
|
|
|
18917ef |
diff --git a/kernel/signal.c b/kernel/signal.c
|
|
|
18917ef |
index 2ec870a..8c8e3ca 100644
|
|
|
18917ef |
--- a/kernel/signal.c
|
|
|
18917ef |
+++ b/kernel/signal.c
|
|
|
18917ef |
@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
|
|
|
18917ef |
if (force_default || ka->sa.sa_handler != SIG_IGN)
|
|
|
18917ef |
ka->sa.sa_handler = SIG_DFL;
|
|
|
18917ef |
ka->sa.sa_flags = 0;
|
|
|
18917ef |
+#ifdef __ARCH_HAS_SA_RESTORER
|
|
|
18917ef |
+ ka->sa.sa_restorer = NULL;
|
|
|
18917ef |
+#endif
|
|
|
18917ef |
sigemptyset(&ka->sa.sa_mask);
|
|
|
18917ef |
ka++;
|
|
|
18917ef |
}
|
|
|
18917ef |
--
|
|
|
18917ef |
1.7.9.5
|
|
|
18917ef |
|
|
|
18917ef |
|
|
|
18917ef |
--
|
|
|
18917ef |
Kees Cook
|
|
|
18917ef |
Chrome OS Security
|
|
|
18917ef |
--
|
|
|
18917ef |
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
|
|
18917ef |
the body of a message to majordomo@vger.kernel.org
|
|
|
18917ef |
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
|
|
18917ef |
Please read the FAQ at http://www.tux.org/lkml/
|