Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 71ae18ec authored by Paolo 'Blaisorblade' Giarrusso's avatar Paolo 'Blaisorblade' Giarrusso Committed by Linus Torvalds
Browse files

[PATCH] sys_get_thread_area does not clear the returned argument 



sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

Signed-off-by: default avatarPaolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 44456d37

arch/i386/kernel/process.c

+2 −0
Original line number Diff line number Diff line
@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info) 
	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)

		return -EINVAL;



	memset(&info, 0, sizeof(info));



	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;



	info.entry_number = idx;