From a96c2fed105547568ff514c218e9e38bd9dd2b31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 2 Oct 2012 15:39:29 -0700 Subject: [PATCH] uts: fix stack memory leak in UNAME26 The UNAME26 personality allows a leak of kernel stack contents. This fixes it by initializing the stack buffer to zero and truncating the copy_to_user correctly. Reported-by: Brad Spengler Signed-off-by: Kees Cook --- kernel/sys.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 241507f..0dc5663 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1264,13 +1264,13 @@ DECLARE_RWSEM(uts_sem); * Work around broken programs that cannot handle "Linux 3.0". * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 */ -static int override_release(char __user *release, int len) +static int override_release(char __user *release, size_t len) { int ret = 0; - char buf[65]; + char buf[65] = { 0 }; + const char *rest = UTS_RELEASE; if (current->personality & UNAME26) { - char *rest = UTS_RELEASE; int ndots = 0; unsigned v; @@ -1282,7 +1282,9 @@ static int override_release(char __user *release, int len) rest++; } v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; - snprintf(buf, len, "2.6.%u%s", v, rest); + snprintf(buf, sizeof(buf), "2.6.%u%s", v, rest); + if (sizeof(buf) < len) + len = sizeof(buf); ret = copy_to_user(release, buf, len); } return ret; -- 1.7.9.5