Google Git
Sign in
linux / linux / kernel / git / jmorris / linux-security / c995f12ad8842dbf5cfed113fb52cdd083f5afd1
commitc995f12ad8842dbf5cfed113fb52cdd083f5afd1[log] [tgz]
authorAlexey Dobriyan <adobriyan@gmail.com>Sun Mar 14 23:51:14 2021 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>Sun Mar 14 14:33:27 2021 -0700
tree92dd0fb652dcb361423365b28ee32888ab2257c8
parent70404fe3030ec2dcf339a9730bc03bf0e1f2acf5 [diff]
prctl: fix PR_SET_MM_AUXV kernel stack leak

Doing a

	prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1);

will copy 1 byte from userspace to (quite big) on-stack array
and then stash everything to mm->saved_auxv.
AT_NULL terminator will be inserted at the very end.

/proc/*/auxv handler will find that AT_NULL terminator
and copy original stack contents to userspace.

This devious scheme requires CAP_SYS_RESOURCE.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 file changed
tree: 92dd0fb652dcb361423365b28ee32888ab2257c8
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. LICENSES/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .clang-format
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README