* [patch 1/1] sys_get_thread_area does not clear the returned argument
@ 2005-07-30 19:07 blaisorblade
2005-07-31 5:17 ` [stable] " Chris Wright
0 siblings, 1 reply; 2+ messages in thread
From: blaisorblade @ 2005-07-30 19:07 UTC (permalink / raw)
To: stable; +Cc: linux-kernel, blaisorblade
From: Blaisorblade <blaisorblade@yahoo.it>
CC: <stable@kernel.org>
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
This was already committed to Linus' repository.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
---
vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c | 2 ++
1 files changed, 2 insertions(+)
diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak 2005-07-28 21:19:26.000000000 +0200
+++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c 2005-07-28 21:19:26.000000000 +0200
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
return -EINVAL;
+ memset(&info, 0, sizeof(info));
+
desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
info.entry_number = idx;
_
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-07-31 5:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-30 19:07 [patch 1/1] sys_get_thread_area does not clear the returned argument blaisorblade
2005-07-31 5:17 ` [stable] " Chris Wright
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox