On 03/11, Kees Cook wrote: > > When the new signal handlers are set up for a fork, the location of > sa_restorer is not cleared, leaking a parent process's address space > location to children. This allows for a potential bypass of the parent's > ASLR by examining the sa_restorer value returned when calling sigaction().
I don't understand. fork() should not change restorer/etc, and the child has the same address space anyway. There is no any leak and the patch can't make any difference in this case because flush_signal_handlers() is not called by fork(). > @@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int > force_default) > if (force_default || ka->sa.sa_handler != SIG_IGN) > ka->sa.sa_handler = SIG_DFL; > ka->sa.sa_flags = 0; > +#ifdef __ARCH_HAS_SA_RESTORER > + ka->sa.sa_restorer = NULL; > +#endif However, exec sets SIG_DFL but keeps ->sa_restorer, so probably this patch makes sense anyway. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
