From: Vasiliy Kulikov <[email protected]>
=====================================================================
| This is a commit scheduled for the next v2.6.34 longterm release. |
| If you see a problem with using this for longterm, please comment.|
=====================================================================
commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream.
The shmid_ds structure is copied to userland with shm_unused{,2,3}
fields unitialized. It leads to leaking of contents of kernel stack
memory.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Acked-by: Al Viro <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Paul Gortmaker <[email protected]>
---
ipc/shm.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/ipc/shm.c b/ipc/shm.c
index 1a314c8..2225a77 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -476,6 +476,7 @@ static inline unsigned long copy_shmid_to_user(void __user
*buf, struct shmid64_
{
struct shmid_ds out;
+ memset(&out, 0, sizeof(out));
ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
out.shm_segsz = in->shm_segsz;
out.shm_atime = in->shm_atime;
--
1.7.4.4
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
