]> Git Repo - linux.git/commitdiff
projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bd2931b)
Fix: kernel/ptrace.c: ptrace_peek_siginfo() missing __put_user() validation
authorMathieu Desnoyers <[email protected]>
Fri, 28 Jun 2013 13:49:46 +0000 (09:49 -0400)
committerLinus Torvalds <[email protected]>
Sat, 29 Jun 2013 18:29:08 +0000 (11:29 -0700)
This __put_user() could be used by unprivileged processes to write into
kernel memory.  The issue here is that even if copy_siginfo_to_user()
fails, the error code is not checked before __put_user() is executed.

Luckily, ptrace_peek_siginfo() has been added within the 3.10-rc cycle,
so it has not hit a stable release yet.

Signed-off-by: Mathieu Desnoyers <[email protected]>
Acked-by: Oleg Nesterov <[email protected]>
Cc: Andrey Vagin <[email protected]>
Cc: Roland McGrath <[email protected]>
Cc: Paul McKenney <[email protected]>
Cc: David Howells <[email protected]>
Cc: Dave Jones <[email protected]>
Cc: Pavel Emelyanov <[email protected]>
Cc: Pedro Alves <[email protected]>
Cc: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
kernel/ptrace.c patch | blob | blame | history

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index aed981a3f69c180dda76bfca76411656842eec01..335a7ae697f5986269d94a445fd27142fc75c09f 100644 (file)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -665,20 +665,22 @@ static int ptrace_peek_siginfo(struct task_struct *child,
                if (unlikely(is_compat_task())) {
                        compat_siginfo_t __user *uinfo = compat_ptr(data);
 
-                       ret = copy_siginfo_to_user32(uinfo, &info);
-                       ret |= __put_user(info.si_code, &uinfo->si_code);
+                       if (copy_siginfo_to_user32(uinfo, &info) ||
+                           __put_user(info.si_code, &uinfo->si_code)) {
+                               ret = -EFAULT;
+                               break;
+                       }
+
                } else
 #endif
                {
                        siginfo_t __user *uinfo = (siginfo_t __user *) data;
 
-                       ret = copy_siginfo_to_user(uinfo, &info);
-                       ret |= __put_user(info.si_code, &uinfo->si_code);
-               }
-
-               if (ret) {
-                       ret = -EFAULT;
-                       break;
+                       if (copy_siginfo_to_user(uinfo, &info) ||
+                           __put_user(info.si_code, &uinfo->si_code)) {
+                               ret = -EFAULT;
+                               break;
+                       }
                }
 
                data += sizeof(siginfo_t);
Empty description
This page took 0.05723 seconds and 4 git commands to generate.