tree f2a0c8e0b67120d61f9216638482d5f472e27f29
parent 44456d37b59d8e541936ed26d8b6e08d27e88ac1
author Blaisorblade <[EMAIL PROTECTED]> Thu, 28 Jul 2005 01:45:18 -0700
committer Linus Torvalds <[EMAIL PROTECTED]> Thu, 28 Jul 2005 06:26:08 -0700
[PATCH] sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <[EMAIL PROTECTED]>
Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
arch/i386/kernel/process.c | 2 ++
1 files changed, 2 insertions(+)
diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
--- a/arch/i386/kernel/process.c
+++ b/arch/i386/kernel/process.c
@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struc
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
return -EINVAL;
+ memset(&info, 0, sizeof(info));
+
desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
info.entry_number = idx;
-
To unsubscribe from this list: send the line "unsubscribe bk-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
