| From b78ffb3fb6f1831b833a5dcfbaa34ce5b0eaa8d7 Mon Sep 17 00:00:00 2001 |
| From: Vasiliy Kulikov <segooon@gmail.com> |
| Date: Sat, 30 Oct 2010 18:22:49 +0400 |
| Subject: [PATCH] ipc: shm: fix information leak to userland |
| |
| commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream. |
| |
| The shmid_ds structure is copied to userland with shm_unused{,2,3} |
| fields unitialized. It leads to leaking of contents of kernel stack |
| memory. |
| |
| Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> |
| Acked-by: Al Viro <viro@ZenIV.linux.org.uk> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/ipc/shm.c b/ipc/shm.c |
| index 1a314c8..2225a77 100644 |
| --- a/ipc/shm.c |
| +++ b/ipc/shm.c |
| @@ -476,6 +476,7 @@ static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ |
| { |
| struct shmid_ds out; |
| |
| + memset(&out, 0, sizeof(out)); |
| ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); |
| out.shm_segsz = in->shm_segsz; |
| out.shm_atime = in->shm_atime; |
| -- |
| 1.7.4.4 |
| |