compat: fix 4-byte infoleak via uninitialized struct field - kernel

diff options

author	Jann Horn <[email protected]>	2018-05-11 00:19:01 +0000
committer	Linus Torvalds <[email protected]>	2018-05-11 00:51:58 +0000
commit	0a0b98734479aa5b3c671d5190e86273372cab95 (patch)
tree	d5b5f0604c0cd3ea41bdcf5c1eda8793bc720129 /lib/mpi/mpi-cmp.c
parent	Merge tag 'for-4.17/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/gi... (diff)
download	kernel-0a0b98734479aa5b3c671d5190e86273372cab95.tar.gz kernel-0a0b98734479aa5b3c671d5190e86273372cab95.zip

compat: fix 4-byte infoleak via uninitialized struct field

Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts") removed the memset() in compat_get_timex(). Since then, the compat adjtimex syscall can invoke do_adjtimex() with an uninitialized ->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments are invalid), compat_put_timex() then copies the uninitialized ->tai field to userspace. Fix it by adding the memset() back. Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts") Signed-off-by: Jann Horn <[email protected]> Acked-by: Kees Cook <[email protected]> Acked-by: Al Viro <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

Diffstat (limited to 'lib/mpi/mpi-cmp.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: