From: Blaisorblade <blaisorblade@yahoo.it>
Date: Wed, 27 Jul 2005 18:45:18 +0000 (-0700)
Subject: [PATCH] sys_get_thread_area does not clear the returned argument
X-Git-Tag: firefly_0821_release~42584^2~67
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=71ae18ec690953e9ba7107c7cc44589c2cc0d9f1;p=firefly-linux-kernel-4.4.55.git

[PATCH] sys_get_thread_area does not clear the returned argument

sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space...  since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---

diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c
index d9492058aaf3..e3f362e8af5b 100644
--- a/arch/i386/kernel/process.c
+++ b/arch/i386/kernel/process.c
@@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info)
 	if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
 		return -EINVAL;
 
+	memset(&info, 0, sizeof(info));
+
 	desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
 
 	info.entry_number = idx;