From: Chris Wright Date: Sun, 31 Jul 2005 05:11:29 +0000 (-0700) Subject: sys_get_thread_area memleak fix from blaisorblade X-Git-Tag: v2.6.12.4~4^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ef9fc10f8cb84e4800d50b58a7b9232af8551dc7;p=thirdparty%2Fkernel%2Fstable-queue.git sys_get_thread_area memleak fix from blaisorblade --- diff --git a/queue/series b/queue/series index f468ea1d11d..29c7d555b3f 100644 --- a/queue/series +++ b/queue/series @@ -8,3 +8,4 @@ netfilter-NAT-memory-corruption.patch netfilter-ip_conntrack_untracked-refcount.patch ipsec-array-overflow.patch bio_clone-fix.patch +sys_get_thread_area-leak.patch diff --git a/queue/sys_get_thread_area-leak.patch b/queue/sys_get_thread_area-leak.patch new file mode 100644 index 00000000000..e916a0a5f88 --- /dev/null +++ b/queue/sys_get_thread_area-leak.patch @@ -0,0 +1,36 @@ +From stable-bounces@linux.kernel.org Sat Jul 30 12:02:54 2005 +To: stable@kernel.org +From: blaisorblade@yahoo.it +Date: Sat, 30 Jul 2005 21:07:02 +0200 +Cc: blaisorblade@yahoo.it, linux-kernel@vger.kernel.org +Subject: [patch] sys_get_thread_area does not clear the returned argument + +From: Blaisorblade +CC: + +sys_get_thread_area does not memset to 0 its struct user_desc info before +copying it to user space... since sizeof(struct user_desc) is 16 while the +actual datas which are filled are only 12 bytes + 9 bits (across the +bitfields), there is a (small) information leak. + +This was already committed to Linus' repository. + +Signed-off-by: Paolo 'Blaisorblade' Giarrusso +Signed-off-by: Chris Wright +--- + + vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c | 2 ++ + 1 files changed, 2 insertions(+) + +diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c +--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak 2005-07-28 21:19:26.000000000 +0200 ++++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c 2005-07-28 21:19:26.000000000 +0200 +@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) + return -EINVAL; + ++ memset(&info, 0, sizeof(info)); ++ + desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN; + + info.entry_number = idx;