[CVE-2013-2148][Precise][Quantal][Raring] fanotify: info leak in copy_event_to_user()
Luis Henriques
luis.henriques at canonical.com
Thu Jul 25 09:22:09 UTC 2013
From: Dan Carpenter <dan.carpenter at oracle.com>
CVE-2013-2148
BugLink: http://bugs.launchpad.net/bugs/1188356
The ->reserved field isn't cleared so we leak one byte of stack
information to userspace.
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Cc: Eric Paris <eparis at redhat.com>
Cc: Al Viro <viro at zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit de1e0c40aceb9d5bff09c3a3b97b2f1b178af53f)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
fs/notify/fanotify/fanotify_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 88630be..54efadf 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -118,6 +118,7 @@ static int fill_event_metadata(struct fsnotify_group *group,
metadata->event_len = FAN_EVENT_METADATA_LEN;
metadata->metadata_len = FAN_EVENT_METADATA_LEN;
metadata->vers = FANOTIFY_METADATA_VERSION;
+ metadata->reserved = 0;
metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
metadata->pid = pid_vnr(event->tgid);
if (unlikely(event->mask & FAN_Q_OVERFLOW))
--
1.8.1.2
More information about the kernel-team
mailing list