--- /dev/null
+From stable-bounces@linux.kernel.org Sat Jul 30 12:02:54 2005
+To: stable@kernel.org
+From: blaisorblade@yahoo.it
+Date: Sat, 30 Jul 2005 21:07:02 +0200
+Cc: blaisorblade@yahoo.it, linux-kernel@vger.kernel.org
+Subject: [patch] sys_get_thread_area does not clear the returned argument
+
+From: Blaisorblade <blaisorblade@yahoo.it>
+CC: <stable@kernel.org>
+
+sys_get_thread_area does not memset to 0 its struct user_desc info before
+copying it to user space... since sizeof(struct user_desc) is 16 while the
+actual datas which are filled are only 12 bytes + 9 bits (across the
+bitfields), there is a (small) information leak.
+
+This was already committed to Linus' repository.
+
+Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
+Signed-off-by: Chris Wright <chrisw@osdl.org>
+---
+
+ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c | 2 ++
+ 1 files changed, 2 insertions(+)
+
+diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
+--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak 2005-07-28 21:19:26.000000000 +0200
++++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c 2005-07-28 21:19:26.000000000 +0200
+@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
+ if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
+ return -EINVAL;
+
++ memset(&info, 0, sizeof(info));
++
+ desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
+
+ info.entry_number = idx;
projects / thirdparty / kernel / stable-queue.git / commitdiff
