Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
core: scrub user-tainted kernel heap memory before freeing it
Some syscalls can be used to poison kernel heap memory. Data copied from userland is not wiped when the syscall returns. For instance, when doing syscall_log() one can copy arbitrary data of variable length onto kernel memory. When free() is called, the block is returned to the memory pool, tainted with that userland data. This might be used in combination with some other vulnerability to produce an exploit. This patch uses free_wipe() to clear the buffers that have been used to store user-provided data before returning them to the heap. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.4] Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Joakim Bech <joakim.bech@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
- Loading branch information
1 parent
4e57065
commit 70b6131
Showing
2 changed files
with
25 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters