From 06c03cac9487555478c7d80065ebf7818bf6fd06 Mon Sep 17 00:00:00 2001 From: Lennert Buytenhek Date: Mon, 7 Nov 2005 21:12:07 +0000 Subject: [ARM] 3117/1: nwfpe kernel memory info leak Patch from Lennert Buytenhek The routine that nwfpe uses for converting floats/doubles to extended precision fails to zero two bytes of kernel stack. This is not immediately obvious, as the floatx80 structure has 16 bits of implicit padding (by design.) These two bytes are copied to userspace when an stfe is emulated, causing a possible info leak. Make the padding explicit and zero it out in the relevant places. Signed-off-by: Lennert Buytenhek Signed-off-by: Russell King --- arch/arm/nwfpe/fpopcode.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'arch/arm/nwfpe/fpopcode.c') diff --git a/arch/arm/nwfpe/fpopcode.c b/arch/arm/nwfpe/fpopcode.c index 4c9f5703148c..67ff2ab08ea0 100644 --- a/arch/arm/nwfpe/fpopcode.c +++ b/arch/arm/nwfpe/fpopcode.c @@ -29,14 +29,14 @@ #ifdef CONFIG_FPE_NWFPE_XP const floatx80 floatx80Constant[] = { - {0x0000, 0x0000000000000000ULL}, /* extended 0.0 */ - {0x3fff, 0x8000000000000000ULL}, /* extended 1.0 */ - {0x4000, 0x8000000000000000ULL}, /* extended 2.0 */ - {0x4000, 0xc000000000000000ULL}, /* extended 3.0 */ - {0x4001, 0x8000000000000000ULL}, /* extended 4.0 */ - {0x4001, 0xa000000000000000ULL}, /* extended 5.0 */ - {0x3ffe, 0x8000000000000000ULL}, /* extended 0.5 */ - {0x4002, 0xa000000000000000ULL} /* extended 10.0 */ + { .high = 0x0000, .low = 0x0000000000000000ULL},/* extended 0.0 */ + { .high = 0x3fff, .low = 0x8000000000000000ULL},/* extended 1.0 */ + { .high = 0x4000, .low = 0x8000000000000000ULL},/* extended 2.0 */ + { .high = 0x4000, .low = 0xc000000000000000ULL},/* extended 3.0 */ + { .high = 0x4001, .low = 0x8000000000000000ULL},/* extended 4.0 */ + { .high = 0x4001, .low = 0xa000000000000000ULL},/* extended 5.0 */ + { .high = 0x3ffe, .low = 0x8000000000000000ULL},/* extended 0.5 */ + { .high = 0x4002, .low = 0xa000000000000000ULL},/* extended 10.0 */ }; #endif -- cgit