lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1286414471.4645.156.camel@Dan>
Date:	Wed, 06 Oct 2010 21:21:11 -0400
From:	Dan Rosenberg <drosenberg@...curity.com>
To:	linux-kernel@...r.kernel.org
Cc:	stable@...nel.org, security@...nel.org
Subject: [PATCH v2] IPC: Initialize structure memory to zero for compat
 functions

Please ignore the previous patch, no sense in splitting these up.

This takes care of leaking uninitialized kernel stack memory to
userspace from non-zeroed fields in structs in compat ipc functions.

Signed-off-by: Dan Rosenberg <drosenberg@...curity.com>

diff -urp linux-2.6.35.5.orig/ipc/compat.c linux-2.6.35.5/ipc/compat.c
--- linux-2.6.35.5.orig/ipc/compat.c	2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/ipc/compat.c	2010-10-06 21:19:04.000000000 -0400
@@ -237,7 +237,7 @@ long compat_sys_semctl(int first, int se
 	union semun fourth;
 	u32 pad;
 	int err, err2;
-	struct semid64_ds s64;
+	struct semid64_ds s64 = {};
 	struct semid64_ds __user *up64;
 	int version = compat_ipc_parse_version(&third);
 
@@ -417,7 +417,7 @@ static inline int put_compat_msqid_ds(st
 long compat_sys_msgctl(int first, int second, void __user *uptr)
 {
 	int err, err2;
-	struct msqid64_ds m64;
+	struct msqid64_ds m64 = {};
 	int version = compat_ipc_parse_version(&second);
 	void __user *p;
 
diff -urp linux-2.6.35.5.orig/ipc/compat_mq.c linux-2.6.35.5/ipc/compat_mq.c
--- linux-2.6.35.5.orig/ipc/compat_mq.c	2010-09-20 16:59:09.000000000 -0400
+++ linux-2.6.35.5/ipc/compat_mq.c	2010-10-06 20:55:08.000000000 -0400
@@ -52,7 +52,7 @@ asmlinkage long compat_sys_mq_open(const
 {
 	void __user *p = NULL;
 	if (u_attr && oflag & O_CREAT) {
-		struct mq_attr attr;
+		struct mq_attr attr = {};
 		p = compat_alloc_user_space(sizeof(attr));
 		if (get_compat_mq_attr(&attr, u_attr) ||
 		    copy_to_user(p, &attr, sizeof(attr)))
@@ -123,7 +123,7 @@ asmlinkage long compat_sys_mq_getsetattr
 			const struct compat_mq_attr __user *u_mqstat,
 			struct compat_mq_attr __user *u_omqstat)
 {
-	struct mq_attr mqstat;
+	struct mq_attr mqstat = {};
 	struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
 	long ret;
 



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ