[PATCH] sys_get_thread_area does not clear the returned argument
authorBlaisorblade <blaisorblade@yahoo.it>
Wed, 27 Jul 2005 18:45:18 +0000 (11:45 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Wed, 27 Jul 2005 23:26:08 +0000 (16:26 -0700)
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
arch/i386/kernel/process.c

index d9492058aaf32c4821723967d3e158ef4de49616..e3f362e8af5b33e194ac5b7bad3a9ec294f0a030 100644 (file)
@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
        if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
                return -EINVAL;
 
+       memset(&info, 0, sizeof(info));
+
        desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
        info.entry_number = idx;