* info leak -- padded struct copied to user
@ 2003-07-17 23:34 Albert Cahalan
0 siblings, 0 replies; only message in thread
From: Albert Cahalan @ 2003-07-17 23:34 UTC (permalink / raw)
To: linux-kernel; +Cc: akpm, Linus Torvalds
It's not OK to leak bits of the kernel stack.
(timy security flaw) I found this with -Wpadded.
diff -Naurd old/fs/stat.c new/fs/stat.c
--- old/fs/stat.c 2003-07-17 18:25:20.000000000 -0400
+++ new/fs/stat.c 2003-07-17 18:27:47.000000000 -0400
@@ -123,6 +123,7 @@
SET_OLDSTAT_UID(tmp, stat->uid);
SET_OLDSTAT_GID(tmp, stat->gid);
tmp.st_rdev = stat->rdev;
+ tmp.__pad_16bit = 0; /* don't leak kernel stack data! */
#if BITS_PER_LONG == 32
if (stat->size > MAX_NON_LFS)
return -EOVERFLOW;
diff -Naurd old/include/asm-i386/stat.h new/include/asm-i386/stat.h
--- old/include/asm-i386/stat.h 2003-06-26 17:50:47.000000000 -0400
+++ new/include/asm-i386/stat.h 2003-07-17 18:23:01.000000000 -0400
@@ -9,6 +9,7 @@
unsigned short st_uid;
unsigned short st_gid;
unsigned short st_rdev;
+ unsigned short __pad_16bit;
unsigned long st_size;
unsigned long st_atime;
unsigned long st_mtime;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-07-17 23:28 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-17 23:34 info leak -- padded struct copied to user Albert Cahalan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.