Please sign in to comment.
core: scrub user-tainted kernel heap memory before freeing it
Some syscalls can be used to poison kernel heap memory. Data copied from userland is not wiped when the syscall returns. For instance, when doing syscall_log() one can copy arbitrary data of variable length onto kernel memory. When free() is called, the block is returned to the memory pool, tainted with that userland data. This might be used in combination with some other vulnerability to produce an exploit. This patch uses free_wipe() to clear the buffers that have been used to store user-provided data before returning them to the heap. Signed-off-by: Jerome Forissier <email@example.com> Reported-by: Bastien Simondi <firstname.lastname@example.org> [1.4] Reviewed-by: Jens Wiklander <email@example.com> Reviewed-by: Joakim Bech <firstname.lastname@example.org> Acked-by: Etienne Carriere <email@example.com>
- Loading branch information...
Showing with 25 additions and 24 deletions.