Skip to content

Commit

Permalink
compat: fix 4-byte infoleak via uninitialized struct field
Browse files Browse the repository at this point in the history 
Commit 3a4d44b ("ntp: Move adjtimex related compat syscalls to
native counterparts") removed the memset() in compat_get_timex().  Since
then, the compat adjtimex syscall can invoke do_adjtimex() with an
uninitialized ->tai.

If do_adjtimex() doesn't write to ->tai (e.g.  because the arguments are
invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.

Fix it by adding the memset() back.

Fixes: 3a4d44b ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <[email protected]>
Acked-by: Kees Cook <[email protected]>
Acked-by: Al Viro <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@thejh @torvalds
thejh authored and torvalds committed May 11, 2018
1 parent 94d7dbf commit 0a0b987
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions kernel/compat.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
{
struct compat_timex tx32;

memset(txc, 0, sizeof(struct timex));
if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
return -EFAULT;

Expand Down

0 comments on commit 0a0b987

Please sign in to comment.