Patchwork [4/6] econet: 4 byte infoleak to the network CVE-2011-1173

login
register
mail settings
Submitter Paolo Pisati
Date July 4, 2011, 2:08 p.m.
Message ID <1309788494-2307-5-git-send-email-paolo.pisati@canonical.com>
Download mbox | patch
Permalink /patch/103104/
State New
Headers show

Comments

Paolo Pisati - July 4, 2011, 2:08 p.m.
From: Vasiliy Kulikov <segoon@openwall.com>

BugLink: http://bugs.launchpad.net/bugs/801484

commit upstream 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e

struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64.  These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network.  This leads to 4 bytes kernel stack
infoleak.

This bug was introduced before the git epoch.

CVE-2011-1173

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
---
 net/econet/af_econet.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Patch

diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 59092f4..bda42d3 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -434,10 +434,10 @@  static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 		udpdest.sin_addr.s_addr = htonl(network | addr.station);
 	}
 
+	memset(&ah, 0, sizeof(ah));
 	ah.port = port;
 	ah.cb = cb & 0x7f;
 	ah.code = 2;		/* magic */
-	ah.pad = 0;
 
 	/* tack our header on the front of the iovec */
 	size = sizeof(struct aunhdr);