From: Blaisorblade Date: Wed, 27 Jul 2005 18:45:18 +0000 (-0700) Subject: [PATCH] sys_get_thread_area does not clear the returned argument X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=71ae18ec690953e9ba7107c7cc44589c2cc0d9f1;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [PATCH] sys_get_thread_area does not clear the returned argument sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak. Signed-off-by: Paolo 'Blaisorblade' Giarrusso Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/arch/i386/kernel/process.c b/arch/i386/kernel/process.c index d9492058aaf3..e3f362e8af5b 100644 --- a/arch/i386/kernel/process.c +++ b/arch/i386/kernel/process.c @@ -917,6 +917,8 @@ asmlinkage int sys_get_thread_area(struct user_desc __user *u_info) if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX) return -EINVAL; + memset(&info, 0, sizeof(info)); + desc = current->thread.tls_array + idx - GDT_ENTRY_TLS_MIN; info.entry_number = idx;