fanotify: info leak in copy_event_to_user()
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 8 Jul 2013 22:59:40 +0000 (15:59 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 9 Jul 2013 17:33:19 +0000 (10:33 -0700)
The ->reserved field isn't cleared so we leak one byte of stack
information to userspace.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/notify/fanotify/fanotify_user.c

index 1ea52f7c031fbd2aed6247ec445d10103ec973ad..e16076d386c43ccdb55c76637074cc6f11eaa92d 100644 (file)
@@ -122,6 +122,7 @@ static int fill_event_metadata(struct fsnotify_group *group,
        metadata->event_len = FAN_EVENT_METADATA_LEN;
        metadata->metadata_len = FAN_EVENT_METADATA_LEN;
        metadata->vers = FANOTIFY_METADATA_VERSION;
+       metadata->reserved = 0;
        metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
        metadata->pid = pid_vnr(event->tgid);
        if (unlikely(event->mask & FAN_Q_OVERFLOW))