summaryrefslogtreecommitdiffstats
path: root/net/netlabel
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2014-10-04 23:06:39 +0200
committerThomas Gleixner <tglx@linutronix.de>2014-10-25 10:43:15 +0200
commit6891c4509c792209c44ced55a60f13954cb50ef4 (patch)
tree807663dfdef1607ff4c10c364aa52254d969678a /net/netlabel
parentf114040e3ea6e07372334ade75d1ee0775c355e1 (diff)
downloadlinux-stable-6891c4509c792209c44ced55a60f13954cb50ef4.tar.gz
linux-stable-6891c4509c792209c44ced55a60f13954cb50ef4.tar.bz2
linux-stable-6891c4509c792209c44ced55a60f13954cb50ef4.zip
posix-timers: Fix stack info leak in timer_create()
If userland creates a timer without specifying a sigevent info, we'll create one ourself, using a stack local variable. Particularly will we use the timer ID as sival_int. But as sigev_value is a union containing a pointer and an int, that assignment will only partially initialize sigev_value on systems where the size of a pointer is bigger than the size of an int. On such systems we'll copy the uninitialized stack bytes from the timer_create() call to userland when the timer actually fires and we're going to deliver the signal. Initialize sigev_value with 0 to plug the stack info leak. Found in the PaX patch, written by the PaX Team. Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...") Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Brad Spengler <spender@grsecurity.net> Cc: PaX Team <pageexec@freemail.hu> Cc: <stable@vger.kernel.org> # v2.6.28+ Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'net/netlabel')
0 files changed, 0 insertions, 0 deletions