[patch 1/1] sys_get_thread_area does not clear the returned argument

[patch 1/1] sys_get_thread_area does not clear the returned argument

[blaisorblade]

From: Blaisorblade <blaisorblade@yahoo.it>
CC: <stable@kernel.org>

sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

This was already committed to Linus' repository.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
---

 vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak	2005-07-28 21:19:26.000000000 +0200
+++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c	2005-07-28 21:19:26.000000000 +0200
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
 	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 		return -EINVAL;
 
+	memset(&info, 0, sizeof(info));
+
 	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
 	info.entry_number = idx;
_

Re: [stable] [patch 1/1] sys_get_thread_area does not clear the returned argument

[Chris Wright]

* blaisorblade@yahoo.it (blaisorblade@yahoo.it) wrote:
> 
> From: Blaisorblade <blaisorblade@yahoo.it>
> CC: <stable@kernel.org>
> 
> sys_get_thread_area does not memset to 0 its struct user_desc info before
> copying it to user space...  since sizeof(struct user_desc) is 16 while the
> actual datas which are filled are only 12 bytes + 9 bits (across the
> bitfields), there is a (small) information leak.
> 
> This was already committed to Linus' repository.

Thanks, queued to -stable.
-chris