Patchwork [Lucid,CVE-2012-6539] net: fix info leak in compat dev_ifconf()

login
register
mail settings
Submitter Luis Henriques
Date March 22, 2013, 1:48 p.m.
Message ID <1363960122-12884-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/230033/
State New
Headers show

Comments

Luis Henriques - March 22, 2013, 1:48 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6539

BugLink: http://bugs.launchpad.net/bugs/1156728

The implementation of dev_ifconf() for the compat ioctl interface uses
an intermediate ifc structure allocated in userland for the duration of
the syscall. Though, it fails to initialize the padding bytes inserted
for alignment and that for leaks four bytes of kernel stack. Add an
explicit memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Conflicts:
	net/socket.c
---
 fs/compat_ioctl.c | 1 +
 1 file changed, 1 insertion(+)
Colin King - March 22, 2013, 1:58 p.m.
On 22/03/13 13:48, Luis Henriques wrote:
> From: Mathias Krause <minipli@googlemail.com>
>
> CVE-2012-6539
>
> BugLink: http://bugs.launchpad.net/bugs/1156728
>
> The implementation of dev_ifconf() for the compat ioctl interface uses
> an intermediate ifc structure allocated in userland for the duration of
> the syscall. Though, it fails to initialize the padding bytes inserted
> for alignment and that for leaks four bytes of kernel stack. Add an
> explicit memset(0) before filling the structure to avoid the info leak.
>
> Signed-off-by: Mathias Krause <minipli@googlemail.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (cherry picked from commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8)
>
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
>
> Conflicts:
> 	net/socket.c
> ---
>   fs/compat_ioctl.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
> index d84e705..c30134b 100644
> --- a/fs/compat_ioctl.c
> +++ b/fs/compat_ioctl.c
> @@ -350,6 +350,7 @@ static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg)
>   	if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32)))
>   		return -EFAULT;
>
> +	memset(&ifc, 0, sizeof(ifc));
>   	if (ifc32.ifcbuf == 0) {
>   		ifc32.ifc_len = 0;
>   		ifc.ifc_len = 0;
>
Clean upstream cherry pick.

Acked-by: Colin Ian King <colin.king@canonical.com>
Tim Gardner - March 22, 2013, 2:05 p.m.
On 03/22/2013 07:58 AM, Colin Ian King wrote:
> Clean upstream cherry pick.
>
> Acked-by: Colin Ian King <colin.king@canonical.com>
>

Noted in the commit log that this is in fact a back port.

Patch

diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index d84e705..c30134b 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -350,6 +350,7 @@  static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg)
 	if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32)))
 		return -EFAULT;
 
+	memset(&ifc, 0, sizeof(ifc));
 	if (ifc32.ifcbuf == 0) {
 		ifc32.ifc_len = 0;
 		ifc.ifc_len = 0;