]>
Commit | Line | Data |
---|---|---|
a5dc67e6 GKH |
1 | From b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 Mon Sep 17 00:00:00 2001 |
2 | From: Andi Kleen <andi@firstfloor.org> | |
3 | Date: Fri, 8 Jan 2010 14:42:52 -0800 | |
4 | Subject: kernel/signal.c: fix kernel information leak with print-fatal-signals=1 | |
5 | ||
6 | From: Andi Kleen <andi@firstfloor.org> | |
7 | ||
8 | commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream. | |
9 | ||
10 | When print-fatal-signals is enabled it's possible to dump any memory | |
11 | reachable by the kernel to the log by simply jumping to that address from | |
12 | user space. | |
13 | ||
14 | Or crash the system if there's some hardware with read side effects. | |
15 | ||
16 | The fatal signals handler will dump 16 bytes at the execution address, | |
17 | which is fully controlled by ring 3. | |
18 | ||
19 | In addition when something jumps to a unmapped address there will be up to | |
20 | 16 additional useless page faults, which might be potentially slow (and at | |
21 | least is not very efficient) | |
22 | ||
23 | Fortunately this option is off by default and only there on i386. | |
24 | ||
25 | But fix it by checking for kernel addresses and also stopping when there's | |
26 | a page fault. | |
27 | ||
28 | Signed-off-by: Andi Kleen <ak@linux.intel.com> | |
29 | Cc: Ingo Molnar <mingo@elte.hu> | |
30 | Cc: Oleg Nesterov <oleg@redhat.com> | |
31 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
32 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
33 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
34 | ||
35 | --- | |
36 | kernel/signal.c | 3 ++- | |
37 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
38 | ||
39 | --- a/kernel/signal.c | |
40 | +++ b/kernel/signal.c | |
41 | @@ -939,7 +939,8 @@ static void print_fatal_signal(struct pt | |
42 | for (i = 0; i < 16; i++) { | |
43 | unsigned char insn; | |
44 | ||
45 | - __get_user(insn, (unsigned char *)(regs->ip + i)); | |
46 | + if (get_user(insn, (unsigned char *)(regs->ip + i))) | |
47 | + break; | |
48 | printk("%02x ", insn); | |
49 | } | |
50 | } |