From: Dan Rosenberg <drosenberg@vsecurity.com>
To: linux-kernel@vger.kernel.org
Cc: stable@kernel.org, security@kernel.org
Subject: [PATCH v2] IPC: Initialize structure memory to zero for compat functions
Date: Wed, 06 Oct 2010 21:21:11 -0400 [thread overview]
Message-ID: <1286414471.4645.156.camel@Dan> (raw)
Please ignore the previous patch, no sense in splitting these up.
This takes care of leaking uninitialized kernel stack memory to
userspace from non-zeroed fields in structs in compat ipc functions.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
diff -urp linux-2.6.35.5.orig/ipc/compat.c linux-2.6.35.5/ipc/compat.c
--- linux-2.6.35.5.orig/ipc/compat.c 2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/ipc/compat.c 2010-10-06 21:19:04.000000000 -0400
@@ -237,7 +237,7 @@ long compat_sys_semctl(int first, int se
union semun fourth;
u32 pad;
int err, err2;
- struct semid64_ds s64;
+ struct semid64_ds s64 = {};
struct semid64_ds __user *up64;
int version = compat_ipc_parse_version(&third);
@@ -417,7 +417,7 @@ static inline int put_compat_msqid_ds(st
long compat_sys_msgctl(int first, int second, void __user *uptr)
{
int err, err2;
- struct msqid64_ds m64;
+ struct msqid64_ds m64 = {};
int version = compat_ipc_parse_version(&second);
void __user *p;
diff -urp linux-2.6.35.5.orig/ipc/compat_mq.c linux-2.6.35.5/ipc/compat_mq.c
--- linux-2.6.35.5.orig/ipc/compat_mq.c 2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/ipc/compat_mq.c 2010-10-06 20:55:08.000000000 -0400
@@ -52,7 +52,7 @@ asmlinkage long compat_sys_mq_open(const
{
void __user *p = NULL;
if (u_attr && oflag & O_CREAT) {
- struct mq_attr attr;
+ struct mq_attr attr = {};
p = compat_alloc_user_space(sizeof(attr));
if (get_compat_mq_attr(&attr, u_attr) ||
copy_to_user(p, &attr, sizeof(attr)))
@@ -123,7 +123,7 @@ asmlinkage long compat_sys_mq_getsetattr
const struct compat_mq_attr __user *u_mqstat,
struct compat_mq_attr __user *u_omqstat)
{
- struct mq_attr mqstat;
+ struct mq_attr mqstat = {};
struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
long ret;
reply other threads:[~2010-10-07 1:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1286414471.4645.156.camel@Dan \
--to=drosenberg@vsecurity.com \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.