[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / ipc-initialize-structure-memory-to-zero-for-compat-functions.patch

From 03145beb455cf5c20a761e8451e30b8a74ba58d9 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Wed, 27 Oct 2010 15:34:17 -0700
Subject: ipc: initialize structure memory to zero for compat functions

From: Dan Rosenberg <drosenberg@vsecurity.com>

commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream.

This takes care of leaking uninitialized kernel stack memory to
userspace from non-zeroed fields in structs in compat ipc functions.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 ipc/compat.c    |    6 ++++++
 ipc/compat_mq.c |    5 +++++
 2 files changed, 11 insertions(+)

--- a/ipc/compat.c
+++ b/ipc/compat.c
@@ -241,6 +241,8 @@ long compat_sys_semctl(int first, int se
 	struct semid64_ds __user *up64;
 	int version = compat_ipc_parse_version(&third);
 
+	memset(&s64, 0, sizeof(s64));
+
 	if (!uptr)
 		return -EINVAL;
 	if (get_user(pad, (u32 __user *) uptr))
@@ -421,6 +423,8 @@ long compat_sys_msgctl(int first, int se
 	int version = compat_ipc_parse_version(&second);
 	void __user *p;
 
+	memset(&m64, 0, sizeof(m64));
+
 	switch (second & (~IPC_64)) {
 	case IPC_INFO:
 	case IPC_RMID:
@@ -594,6 +598,8 @@ long compat_sys_shmctl(int first, int se
 	int err, err2;
 	int version = compat_ipc_parse_version(&second);
 
+	memset(&s64, 0, sizeof(s64));
+
 	switch (second & (~IPC_64)) {
 	case IPC_RMID:
 	case SHM_LOCK:
--- a/ipc/compat_mq.c
+++ b/ipc/compat_mq.c
@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const
 	void __user *p = NULL;
 	if (u_attr && oflag & O_CREAT) {
 		struct mq_attr attr;
+
+		memset(&attr, 0, sizeof(attr));
+
 		p = compat_alloc_user_space(sizeof(attr));
 		if (get_compat_mq_attr(&attr, u_attr) ||
 		    copy_to_user(p, &attr, sizeof(attr)))
@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr
 	struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
 	long ret;
 
+	memset(&mqstat, 0, sizeof(mqstat));
+
 	if (u_mqstat) {
 		if (get_compat_mq_attr(&mqstat, u_mqstat) ||
 		    copy_to_user(p, &mqstat, sizeof(mqstat)))
Commit	Line	Data
9f934a63 GKH	1	From 03145beb455cf5c20a761e8451e30b8a74ba58d9 Mon Sep 17 00:00:00 2001
	2	From: Dan Rosenberg <drosenberg@vsecurity.com>
	3	Date: Wed, 27 Oct 2010 15:34:17 -0700
	4	Subject: ipc: initialize structure memory to zero for compat functions
	5
	6	From: Dan Rosenberg <drosenberg@vsecurity.com>
	7
	8	commit 03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream.
	9
	10	This takes care of leaking uninitialized kernel stack memory to
	11	userspace from non-zeroed fields in structs in compat ipc functions.
	12
	13	Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
	14	Cc: Manfred Spraul <manfred@colorfullife.com>
	15	Cc: Arnd Bergmann <arnd@arndb.de>
	16	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	17	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	19
	20	---
	21	ipc/compat.c \| 6 ++++++
	22	ipc/compat_mq.c \| 5 +++++
	23	2 files changed, 11 insertions(+)
	24
	25	--- a/ipc/compat.c
	26	+++ b/ipc/compat.c
	27	@@ -241,6 +241,8 @@ long compat_sys_semctl(int first, int se
	28	struct semid64_ds __user *up64;
	29	int version = compat_ipc_parse_version(&third);
	30
	31	+ memset(&s64, 0, sizeof(s64));
	32	+
	33	if (!uptr)
	34	return -EINVAL;
	35	if (get_user(pad, (u32 __user *) uptr))
	36	@@ -421,6 +423,8 @@ long compat_sys_msgctl(int first, int se
	37	int version = compat_ipc_parse_version(&second);
	38	void __user *p;
	39
	40	+ memset(&m64, 0, sizeof(m64));
	41	+
	42	switch (second & (~IPC_64)) {
	43	case IPC_INFO:
	44	case IPC_RMID:
	45	@@ -594,6 +598,8 @@ long compat_sys_shmctl(int first, int se
	46	int err, err2;
	47	int version = compat_ipc_parse_version(&second);
	48
	49	+ memset(&s64, 0, sizeof(s64));
	50	+
	51	switch (second & (~IPC_64)) {
	52	case IPC_RMID:
	53	case SHM_LOCK:
	54	--- a/ipc/compat_mq.c
	55	+++ b/ipc/compat_mq.c
	56	@@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const
	57	void __user *p = NULL;
	58	if (u_attr && oflag & O_CREAT) {
	59	struct mq_attr attr;
	60	+
	61	+ memset(&attr, 0, sizeof(attr));
	62	+
	63	p = compat_alloc_user_space(sizeof(attr));
	64	if (get_compat_mq_attr(&attr, u_attr) \|\|
65	copy_to_user(p, &attr, sizeof(attr)))
66	@@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr
67	struct mq_attr __user p = compat_alloc_user_space(2 sizeof(*p));
68	long ret;
69
70	+ memset(&mqstat, 0, sizeof(mqstat));
71	+
72	if (u_mqstat) {
73	if (get_compat_mq_attr(&mqstat, u_mqstat) \|\|
74	copy_to_user(p, &mqstat, sizeof(mqstat)))