From: Danny Feng <dfeng@redhat.com> Date: Mon, 22 Nov 2010 08:39:37 -0500 Subject: [ipc] shm: fix information leak to userland Message-id: <20101122083936.28626.35546.sendpatchset@danny.redhat> Patchwork-id: 29530 O-Subject: [PATCH RHEL5.6] ipc: shm: fix information leak to userland Bugzilla: 648687 CVE: CVE-2010-4072 RH-Acked-by: Larry Woodman <lwoodman@redhat.com> RH-Acked-by: Don Zickus <dzickus@redhat.com> RH-Acked-by: Dean Nelson <dnelson@redhat.com> Backport of: commit 3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 Author: Vasiliy Kulikov <segooon@gmail.com> Date: Sat Oct 30 18:22:49 2010 +0400 ipc: shm: fix information leak to userland The shmid_ds structure is copied to userland with shm_unused{,2,3} fields unitialized. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Resolves bz648687 AKA CVE-2010-4072 diff --git a/ipc/shm.c b/ipc/shm.c index 940b0c9..9d4e4d7 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -313,6 +313,7 @@ static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ { struct shmid_ds out; + memset(&out, 0, sizeof(out)); ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); out.shm_segsz = in->shm_segsz; out.shm_atime = in->shm_atime;