Message ID | 1368093708-6724-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, May 09, 2013 at 11:01:48AM +0100, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2013-3223 > > BugLink: https://bugs.launchpad.net/bugs/1172366 > > When msg_namelen is non-zero the sockaddr info gets filled out, as > requested, but the code fails to initialize the padding bytes of struct > sockaddr_ax25 inserted by the compiler for alignment. Additionally the > msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is > not always filled up to this size. > > Both issues lead to the fact that the code will leak uninitialized > kernel stack bytes in net/socket.c. > > Fix both issues by initializing the memory with memset(0). > > Cc: Ralf Baechle <ralf@linux-mips.org> > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit ef3313e84acbf349caecae942ab3ab731471f1a1) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > net/ax25/af_ax25.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c > index 779095d..d53a123 100644 > --- a/net/ax25/af_ax25.c > +++ b/net/ax25/af_ax25.c > @@ -1647,6 +1647,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, > ax25_address src; > const unsigned char *mac = skb_mac_header(skb); > > + memset(sax, 0, sizeof(struct full_sockaddr_ax25)); > ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, > &digi, NULL, NULL); > sax->sax25_family = AF_AX25; Clean cherry-pick, seems to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 779095d..d53a123 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1647,6 +1647,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, ax25_address src; const unsigned char *mac = skb_mac_header(skb); + memset(sax, 0, sizeof(struct full_sockaddr_ax25)); ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, &digi, NULL, NULL); sax->sax25_family = AF_AX25;