From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steven Whitehouse Date: Thu, 26 Jan 2017 10:54:44 +0000 Subject: [Cluster-devel] [PATCH] fs/dlm: Fix kernel memory disclosure In-Reply-To: References: <1483968444-5460-1-git-send-email-vlad@tsyrklevich.net> Message-ID: <2efd4f10-da3a-4a24-a9a2-cb0b96d60338@redhat.com> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi, On 26/01/17 08:54, Vlad Tsyrklevich wrote: > Hello, I wanted to ping the list and see if this could get a review. > > On Mon, Jan 9, 2017 at 8:27 PM, Vlad Tsyrklevich wrote: >> Clear the 'unused' field to avoid leaking memory to userland in >> copy_result_to_user(). >> >> Signed-off-by: Vlad Tsyrklevich >> --- >> fs/dlm/user.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/fs/dlm/user.c b/fs/dlm/user.c >> index 1ce908c..0570711 100644 >> --- a/fs/dlm/user.c >> +++ b/fs/dlm/user.c >> @@ -138,6 +138,8 @@ static void compat_output(struct dlm_lock_result *res, >> res32->lksb.sb_flags = res->lksb.sb_flags; >> res32->lksb.sb_lkid = res->lksb.sb_lkid; >> res32->lksb.sb_lvbptr = (__u32)(long)res->lksb.sb_lvbptr; >> + >> + memset(&res32->unused, 0, sizeof(res32->unused)); >> } >> #endif >> >> -- >> 2.7.0 >> It looks like struct dlm_lksb32 has a hole in it, so it would be safer just to zero the whole of the dlm_lock_result32 before it is written to, rather than trying to find all the holes individually, even if slightly slower (I'm not sure it would be noticeable in reality though) Steve.