]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6037278)
[PATCH] sys_get_thread_area does not clear the returned argument
authorBlaisorblade <blaisorblade@yahoo.it>
Sat, 30 Jul 2005 19:07:02 +0000 (21:07 +0200)
committerChris Wright <chrisw@osdl.org>
Fri, 5 Aug 2005 07:04:23 +0000 (00:04 -0700)
CC: <stable@kernel.org>
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

This was already committed to Linus' repository.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Chris Wright <chrisw@osdl.org>
arch/i386/kernel/process.c patch | blob | blame | history

diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
index 96e3ea6b17c7b989c1bafb3c1ce87f7768348693..173799685df3eed34aeeaac5968daa98ee3b9bfa 100644 (file)
--- a/arch/i386/kernel/process.c
+++ b/arch/i386/kernel/process.c
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
        if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
                return -EINVAL;
 
+       memset(&info, 0, sizeof(info));
+
        desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
        info.entry_number = idx;
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git