From: Dan Rosenberg <[email protected]> ===================================================================== | This is a commit scheduled for the next v2.6.34 longterm release. | | If you see a problem with using this for longterm, please comment.| =====================================================================
commit 982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream. The semctl syscall has several code paths that lead to the leakage of uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete version of the semid_ds struct. The copy_semid_to_user() function declares a semid_ds struct on the stack and copies it back to the user without initializing or zeroing the "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers, allowing the leakage of 16 bytes of kernel stack memory. The code is still reachable on 32-bit systems - when calling semctl() newer glibc's automatically OR the IPC command with the IPC_64 flag, but invoking the syscall directly allows users to use the older versions of the struct. Signed-off-by: Dan Rosenberg <[email protected]> Cc: Manfred Spraul <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Paul Gortmaker <[email protected]> --- ipc/sem.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/ipc/sem.c b/ipc/sem.c index dbef95b..b4c1641 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -608,6 +608,8 @@ static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, { struct semid_ds out; + memset(&out, 0, sizeof(out)); + ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm); out.sem_otime = in->sem_otime; -- 1.7.4.4 _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
