From: Danny Feng <dfeng@redhat.com>
Date: Mon, 22 Nov 2010 08:39:37 -0500
Subject: [ipc] shm: fix information leak to userland
Message-id: <20101122083936.28626.35546.sendpatchset@danny.redhat>
Patchwork-id: 29530
O-Subject: [PATCH RHEL5.6] ipc: shm: fix information leak to userland
Bugzilla: 648687
CVE: CVE-2010-4072
RH-Acked-by: Larry Woodman <lwoodman@redhat.com>
RH-Acked-by: Don Zickus <dzickus@redhat.com>
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
Backport of:
commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44
Author: Vasiliy Kulikov <segooon@gmail.com>
Date: Sat Oct 30 18:22:49 2010 +0400
ipc: shm: fix information leak to userland
The shmid_ds structure is copied to userland with shm_unused{,2,3}
fields unitialized. It leads to leaking of contents of kernel stack
memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Resolves bz648687
AKA CVE-2010-4072
diff --git a/ipc/shm.c b/ipc/shm.c
index 940b0c9..9d4e4d7 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -313,6 +313,7 @@ static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_
{
struct shmid_ds out;
+ memset(&out, 0, sizeof(out));
ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
out.shm_segsz = in->shm_segsz;
out.shm_atime = in->shm_atime;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
1610
