On Tue, May 03, 2016 at 04:36:08PM -0400, Kangjie Lu wrote: > The stack object “si” has a total size of 128; however, only 20 > bytes are initialized. The remaining uninitialized bytes are sent > to userland via send_signal > > Signed-off-by: Kangjie Lu <[email protected]> > --- > arch/arm64/mm/fault.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c > index 95df28b..f790eda 100644 > --- a/arch/arm64/mm/fault.c > +++ b/arch/arm64/mm/fault.c > @@ -117,6 +117,7 @@ static void __do_user_fault(struct task_struct *tsk, > unsigned long addr, > { > struct siginfo si; > > + memset(&si, 0, sizeof(si)); > if (unhandled_signal(tsk, sig) && show_unhandled_signals_ratelimited()) > { > pr_info("%s[%d]: unhandled %s (%d) at 0x%08lx, esr 0x%03x\n", > tsk->comm, task_pid_nr(tsk), fault_name(esr), sig,
I'm not convinced this is necessary. Have you actually seen such information leak getting to user space? The actual writing of siginfo to the user stack happens in copy_siginfo_to_user() (called from setup_rt_frame) which should (at least in theory) only copy pre-populated fields. -- Catalin
