[patch 1/1] sys_get_thread_area does not clear the returned argument

• Previous message: blaisorblade_at_yahoo.it: "[patch 2/3] uml: workaround GDB problems on debugging"
• Next in thread: Chris Wright: "Re: [stable] [patch 1/1] sys_get_thread_area does not clear the returned argument"
• Reply: Chris Wright: "Re: [stable] [patch 1/1] sys_get_thread_area does not clear the returned argument"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: stable@kernel.org
Date:	Sat, 30 Jul 2005 21:07:02 +0200

From: Blaisorblade <blaisorblade@yahoo.it>
CC: <stable@kernel.org>

sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

This was already committed to Linus' repository.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>

---
 vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c |    2 ++
 1 files changed, 2 insertions(+)
diff -puN arch/i386/kernel/process.c~sec-micro-info-leak arch/i386/kernel/process.c
--- vanilla-linux-2.6.12/arch/i386/kernel/process.c~sec-micro-info-leak	2005-07-28 21:19:26.000000000 +0200
+++ vanilla-linux-2.6.12-paolo/arch/i386/kernel/process.c	2005-07-28 21:19:26.000000000 +0200
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struc
 	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 		return -EINVAL;
 
+	memset(&info, 0, sizeof(info));
+
 	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
 	info.entry_number = idx;
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

• Previous message: blaisorblade_at_yahoo.it: "[patch 2/3] uml: workaround GDB problems on debugging"
• Next in thread: Chris Wright: "Re: [stable] [patch 1/1] sys_get_thread_area does not clear the returned argument"
• Reply: Chris Wright: "Re: [stable] [patch 1/1] sys_get_thread_area does not clear the returned argument"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages [11/13] sys_get_thread_area does not clear the returned argument ... If anyone has any objections, ... copying it to user space... ... bitfields), there is a information leak. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] new device support for forcedeth.c second try ... Bitfields for hw access are evil, ... The phy code needs a big rewrite and support for ethtool anyway. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: Kernel oops while shutting down (2.6.8rc1) ... >> One of those driver modules probably has a function in the cleanup ... >> down and taking copying the output would help speed up the search. ... QinetiQ Trusted Information Management ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [patch] kernel sysfs events layer ... > bother him: it is the fact that knowledge of the mount itself is an ... > information leak. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: Errors with USB Disk ... patches submitted by Oliver and Alan S. We're copying about 15GiB of data ... between an IDE and USB drive, and see the hang occur somewhere in the first ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)