提交 71ae18ec 编写于 作者: B Blaisorblade 提交者: Linus Torvalds

[PATCH] sys_get_thread_area does not clear the returned argument

sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
Signed-off-by: NPaolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
上级 44456d37
...@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info) ...@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
return -EINVAL; return -EINVAL;
memset(&info, 0, sizeof(info));
desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN; desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
info.entry_number = idx; info.entry_number = idx;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册