From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 10 Nov 2014 05:54:46 +0000 (+0900)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.60~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a60caae8295896329c3b7af78bd22c8c46a2176;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	posix-timers-fix-stack-info-leak-in-timer_create.patch
---

diff --git a/queue-3.10/posix-timers-fix-stack-info-leak-in-timer_create.patch b/queue-3.10/posix-timers-fix-stack-info-leak-in-timer_create.patch
new file mode 100644
index 00000000000..161d0f2207d
--- /dev/null
+++ b/queue-3.10/posix-timers-fix-stack-info-leak-in-timer_create.patch
@@ -0,0 +1,45 @@
+From 6891c4509c792209c44ced55a60f13954cb50ef4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 4 Oct 2014 23:06:39 +0200
+Subject: posix-timers: Fix stack info leak in timer_create()
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream.
+
+If userland creates a timer without specifying a sigevent info, we'll
+create one ourself, using a stack local variable. Particularly will we
+use the timer ID as sival_int. But as sigev_value is a union containing
+a pointer and an int, that assignment will only partially initialize
+sigev_value on systems where the size of a pointer is bigger than the
+size of an int. On such systems we'll copy the uninitialized stack bytes
+from the timer_create() call to userland when the timer actually fires
+and we're going to deliver the signal.
+
+Initialize sigev_value with 0 to plug the stack info leak.
+
+Found in the PaX patch, written by the PaX Team.
+
+Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...")
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Brad Spengler <spender@grsecurity.net>
+Cc: PaX Team <pageexec@freemail.hu>
+Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/posix-timers.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/posix-timers.c
++++ b/kernel/posix-timers.c
+@@ -634,6 +634,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
+ 			goto out;
+ 		}
+ 	} else {
++		memset(&event.sigev_value, 0, sizeof(event.sigev_value));
+ 		event.sigev_notify = SIGEV_SIGNAL;
+ 		event.sigev_signo = SIGALRM;
+ 		event.sigev_value.sival_int = new_timer->it_id;
diff --git a/queue-3.10/series b/queue-3.10/series
index c5a0c5b8f86..eab2ac9efe3 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -106,3 +106,4 @@ quota-properly-return-errors-from-dquot_writeback_dquots.patch
 tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch
 pm-sleep-fix-recovery-during-resuming-from-hibernation.patch
 mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch
+posix-timers-fix-stack-info-leak-in-timer_create.patch