diff options
| author |  Jann Horn <jannh@google.com>
| 2018-05-11 02:19:01 +0200 |
|---|---|---|
| committer |  Linus Torvalds <torvalds@linux-foundation.org>
| 2018-05-10 17:51:58 -0700 |
| commit | 0a0b98734479aa5b3c671d5190e86273372cab95 (patch) | |
| tree | d5b5f0604c0cd3ea41bdcf5c1eda8793bc720129 /drivers | |
| parent | Merge tag 'for-4.17/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/gi... (diff) | |
| download | linux-0a0b98734479aa5b3c671d5190e86273372cab95.tar.gz linux-0a0b98734479aa5b3c671d5190e86273372cab95.tar.bz2 linux-0a0b98734479aa5b3c671d5190e86273372cab95.zip | |
compat: fix 4-byte infoleak via uninitialized struct field
Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to
native counterparts") removed the memset() in compat_get_timex(). Since
then, the compat adjtimex syscall can invoke do_adjtimex() with an
uninitialized ->tai.
If do_adjtimex() doesn't write to ->tai (e.g. because the arguments are
invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.
Fix it by adding the memset() back.
Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
0 files changed, 0 insertions, 0 deletions