[PATCH 4.9 64/78] prctl: fix PR_SET_MM_AUXV kernel stack leak
From: gregkh@linuxfoundation.org
Date: 2021-03-15 13:59:11
Also in:
lkml
Subsystem:
the rest · Maintainer:
Linus Torvalds
From: gregkh@linuxfoundation.org
Date: 2021-03-15 13:59:11
Also in:
lkml
Subsystem:
the rest · Maintainer:
Linus Torvalds
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> From: Alexey Dobriyan <redacted> [ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] Doing a prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); will copy 1 byte from userspace to (quite big) on-stack array and then stash everything to mm->saved_auxv. AT_NULL terminator will be inserted at the very end. /proc/*/auxv handler will find that AT_NULL terminator and copy original stack contents to userspace. This devious scheme requires CAP_SYS_RESOURCE. Signed-off-by: Alexey Dobriyan <redacted> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- kernel/sys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 546cdc911dad..76b3d9262644 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c@@ -1910,7 +1910,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, * up to the caller to provide sane values here, otherwise userspace * tools which use this vector might be unhappy. */ - unsigned long user_auxv[AT_VECTOR_SIZE]; + unsigned long user_auxv[AT_VECTOR_SIZE] = {}; if (len > sizeof(user_auxv)) return -EINVAL;
--
2.30.1