The patch titled sys_semctl: fix kernel stack leakage has been added to the -mm tree. Its filename is sys_semctl-fix-kernel-stack-leakage.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: sys_semctl: fix kernel stack leakage From: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> The semctl syscall has several code paths that lead to the leakage of uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete version of the semid_ds struct. The copy_semid_to_user() function declares a semid_ds struct on the stack and copies it back to the user without initializing or zeroing the "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers, allowing the leakage of 16 bytes of kernel stack memory. The code is still reachable on 32-bit systems - when calling semctl() newer glibc's automatically OR the IPC command with the IPC_64 flag, but invoking the syscall directly allows users to use the older versions of the struct. Signed-off-by: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx> Cc: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- ipc/sem.c | 2 ++ 1 file changed, 2 insertions(+) diff -puN ipc/sem.c~sys_semctl-fix-kernel-stack-leakage ipc/sem.c --- a/ipc/sem.c~sys_semctl-fix-kernel-stack-leakage +++ a/ipc/sem.c @@ -743,6 +743,8 @@ static unsigned long copy_semid_to_user( { struct semid_ds out; + memset(&out, 0, sizeof(out)); + ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm); out.sem_otime = in->sem_otime; _ Patches currently in -mm which might be from drosenberg@xxxxxxxxxxxxx are origin.patch sys_semctl-fix-kernel-stack-leakage.patch drivers-serial-serial_corec-prevent-reading-uninitialized-stack-memory.patch drivers-char-amiserialc-prevent-reading-uninitialized-stack-memory.patch drivers-char-nozomic-prevent-reading-uninitialized-stack-memory.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html