diff options
| author | Blaisorblade | 2005-07-27 20:45:18 +0200 |
|---|---|---|
| committer | Linus Torvalds | 2005-07-28 01:26:08 +0200 |
| commit | 71ae18ec690953e9ba7107c7cc44589c2cc0d9f1 (patch) | |
| tree | f2a0c8e0b67120d61f9216638482d5f472e27f29 /arch/i386/kernel/process.c | |
| parent | [PATCH] turn many #if $undefined_string into #ifdef $undefined_string (diff) | |
| download | kernel-qcow2-linux-71ae18ec690953e9ba7107c7cc44589c2cc0d9f1.tar.gz kernel-qcow2-linux-71ae18ec690953e9ba7107c7cc44589c2cc0d9f1.tar.xz kernel-qcow2-linux-71ae18ec690953e9ba7107c7cc44589c2cc0d9f1.zip | |
[PATCH] sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch/i386/kernel/process.c')
| -rw-r--r-- | arch/i386/kernel/process.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c index d9492058aaf3..e3f362e8af5b 100644 --- a/arch/i386/kernel/process.c +++ b/arch/i386/kernel/process.c @@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info) if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; + memset(&info, 0, sizeof(info)); + desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN; info.entry_number = idx; |