]>
Commit | Line | Data |
---|---|---|
9f934a63 GKH |
1 | From 03145beb455cf5c20a761e8451e30b8a74ba58d9 Mon Sep 17 00:00:00 2001 |
2 | From: Dan Rosenberg <drosenberg@vsecurity.com> | |
3 | Date: Wed, 27 Oct 2010 15:34:17 -0700 | |
4 | Subject: ipc: initialize structure memory to zero for compat functions | |
5 | ||
6 | From: Dan Rosenberg <drosenberg@vsecurity.com> | |
7 | ||
8 | commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream. | |
9 | ||
10 | This takes care of leaking uninitialized kernel stack memory to | |
11 | userspace from non-zeroed fields in structs in compat ipc functions. | |
12 | ||
13 | Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> | |
14 | Cc: Manfred Spraul <manfred@colorfullife.com> | |
15 | Cc: Arnd Bergmann <arnd@arndb.de> | |
16 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
17 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
19 | ||
20 | --- | |
21 | ipc/compat.c | 6 ++++++ | |
22 | ipc/compat_mq.c | 5 +++++ | |
23 | 2 files changed, 11 insertions(+) | |
24 | ||
25 | --- a/ipc/compat.c | |
26 | +++ b/ipc/compat.c | |
27 | @@ -241,6 +241,8 @@ long compat_sys_semctl(int first, int se | |
28 | struct semid64_ds __user *up64; | |
29 | int version = compat_ipc_parse_version(&third); | |
30 | ||
31 | + memset(&s64, 0, sizeof(s64)); | |
32 | + | |
33 | if (!uptr) | |
34 | return -EINVAL; | |
35 | if (get_user(pad, (u32 __user *) uptr)) | |
36 | @@ -421,6 +423,8 @@ long compat_sys_msgctl(int first, int se | |
37 | int version = compat_ipc_parse_version(&second); | |
38 | void __user *p; | |
39 | ||
40 | + memset(&m64, 0, sizeof(m64)); | |
41 | + | |
42 | switch (second & (~IPC_64)) { | |
43 | case IPC_INFO: | |
44 | case IPC_RMID: | |
45 | @@ -594,6 +598,8 @@ long compat_sys_shmctl(int first, int se | |
46 | int err, err2; | |
47 | int version = compat_ipc_parse_version(&second); | |
48 | ||
49 | + memset(&s64, 0, sizeof(s64)); | |
50 | + | |
51 | switch (second & (~IPC_64)) { | |
52 | case IPC_RMID: | |
53 | case SHM_LOCK: | |
54 | --- a/ipc/compat_mq.c | |
55 | +++ b/ipc/compat_mq.c | |
56 | @@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const | |
57 | void __user *p = NULL; | |
58 | if (u_attr && oflag & O_CREAT) { | |
59 | struct mq_attr attr; | |
60 | + | |
61 | + memset(&attr, 0, sizeof(attr)); | |
62 | + | |
63 | p = compat_alloc_user_space(sizeof(attr)); | |
64 | if (get_compat_mq_attr(&attr, u_attr) || | |
65 | copy_to_user(p, &attr, sizeof(attr))) | |
66 | @@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr | |
67 | struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p)); | |
68 | long ret; | |
69 | ||
70 | + memset(&mqstat, 0, sizeof(mqstat)); | |
71 | + | |
72 | if (u_mqstat) { | |
73 | if (get_compat_mq_attr(&mqstat, u_mqstat) || | |
74 | copy_to_user(p, &mqstat, sizeof(mqstat))) |