[PATCH] sys_get_thread_area does not clear the returned argument

CC: <stable@kernel.org> sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak. This was already committed to Linus' repository. Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by: Chris Wright <chrisw@osdl.org>
author: Blaisorblade <blaisorblade@yahoo.it> 2005-07-30 21:07:02 +0200
committer: Chris Wright <chrisw@osdl.org> 2005-08-05 00:04:23 -0700
commit: 685dd5ff54ea9b3333df75427bd91d9601813c23 (patch)
tree: 25c4613aece4f422a707e005d0f565286d85b5c8
parent: 60372783e59079bdfd3ba0477e1907669249a489 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
index 96e3ea6b17c7..173799685df3 100644
--- a/arch/i386/kernel/process.c
+++ b/arch/i386/kernel/process.c
@@ -827,6 +827,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
 	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 		return -EINVAL;
 
+	memset(&info, 0, sizeof(info));
+
 	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
 	info.entry_number = idx;
author	Blaisorblade <blaisorblade@yahoo.it>	2005-07-30 21:07:02 +0200
committer	Chris Wright <chrisw@osdl.org>	2005-08-05 00:04:23 -0700
commit	685dd5ff54ea9b3333df75427bd91d9601813c23 (patch)
tree	25c4613aece4f422a707e005d0f565286d85b5c8
parent	60372783e59079bdfd3ba0477e1907669249a489 (diff)