aboutsummaryrefslogtreecommitdiffstats
path: root/arch/i386
diff options
context:
space:
mode:
authorBlaisorblade <blaisorblade@yahoo.it>2005-07-27 14:45:18 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-07-27 19:26:08 -0400
commit71ae18ec690953e9ba7107c7cc44589c2cc0d9f1 (patch)
treef2a0c8e0b67120d61f9216638482d5f472e27f29 /arch/i386
parent44456d37b59d8e541936ed26d8b6e08d27e88ac1 (diff)
[PATCH] sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak. Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch/i386')
-rw-r--r--arch/i386/kernel/process.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
index d9492058aaf3..e3f362e8af5b 100644
--- a/arch/i386/kernel/process.c
+++ b/arch/i386/kernel/process.c
@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
917 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) 917 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
918 return -EINVAL; 918 return -EINVAL;
919 919
920 memset(&info, 0, sizeof(info));
921
920 desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN; 922 desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
921 923
922 info.entry_number = idx; 924 info.entry_number = idx;