Message ID | 1363960122-12884-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On 22/03/13 13:48, Luis Henriques wrote: > From: Mathias Krause <minipli@googlemail.com> > > CVE-2012-6539 > > BugLink: http://bugs.launchpad.net/bugs/1156728 > > The implementation of dev_ifconf() for the compat ioctl interface uses > an intermediate ifc structure allocated in userland for the duration of > the syscall. Though, it fails to initialize the padding bytes inserted > for alignment and that for leaks four bytes of kernel stack. Add an > explicit memset(0) before filling the structure to avoid the info leak. > > Signed-off-by: Mathias Krause <minipli@googlemail.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > > Conflicts: > net/socket.c > --- > fs/compat_ioctl.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c > index d84e705..c30134b 100644 > --- a/fs/compat_ioctl.c > +++ b/fs/compat_ioctl.c > @@ -350,6 +350,7 @@ static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg) > if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32))) > return -EFAULT; > > + memset(&ifc, 0, sizeof(ifc)); > if (ifc32.ifcbuf == 0) { > ifc32.ifc_len = 0; > ifc.ifc_len = 0; > Clean upstream cherry pick. Acked-by: Colin Ian King <colin.king@canonical.com>
On 03/22/2013 07:58 AM, Colin Ian King wrote: > Clean upstream cherry pick. > > Acked-by: Colin Ian King <colin.king@canonical.com> > Noted in the commit log that this is in fact a back port.
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c index d84e705..c30134b 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c @@ -350,6 +350,7 @@ static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg) if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32))) return -EFAULT; + memset(&ifc, 0, sizeof(ifc)); if (ifc32.ifcbuf == 0) { ifc32.ifc_len = 0; ifc.ifc_len = 0;