[PATCH] sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak. Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Blaisorblade
Linus Torvalds
parent
44456d37b5
commit
71ae18ec69
1 changed files with 2 additions and 0 deletions
|
|
@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
|
|||
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
|
||||
return -EINVAL;
|
||||
|
||||
memset(&info, 0, sizeof(info));
|
||||
|
||||
desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
|
||||
|
||||
info.entry_number = idx;
|
||||
|
|
|
|||
Loading…
Reference in a new issue