From patchwork Fri Mar 22 13:48:42 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Luis Henriques <luis.henriques@canonical.com>
X-Patchwork-Id: 230033
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 80E542C00C3
	for <incoming@patchwork.ozlabs.org>;
	Sat, 23 Mar 2013 00:48:53 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1UJ2Ks-0002fh-1y; Fri, 22 Mar 2013 13:48:46 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <luis.henriques@canonical.com>) id 1UJ2Kp-0002eV-Oi
	for kernel-team@lists.ubuntu.com; Fri, 22 Mar 2013 13:48:43 +0000
Received: from [2.83.241.226] (helo=localhost)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <luis.henriques@canonical.com>)
	id 1UJ2Kp-0005yw-Ji
	for kernel-team@lists.ubuntu.com; Fri, 22 Mar 2013 13:48:43 +0000
From: Luis Henriques <luis.henriques@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Lucid CVE-2012-6539] net: fix info leak in compat dev_ifconf()
Date: Fri, 22 Mar 2013 13:48:42 +0000
Message-Id: <1363960122-12884-1-git-send-email-luis.henriques@canonical.com>
X-Mailer: git-send-email 1.8.1.2
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6539

BugLink: http://bugs.launchpad.net/bugs/1156728

The implementation of dev_ifconf() for the compat ioctl interface uses
an intermediate ifc structure allocated in userland for the duration of
the syscall. Though, it fails to initialize the padding bytes inserted
for alignment and that for leaks four bytes of kernel stack. Add an
explicit memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Conflicts:
	net/socket.c
Acked-by: Colin Ian King <colin.king@canonical.com>
---
 fs/compat_ioctl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index d84e705..c30134b 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -350,6 +350,7 @@ static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg)
 	if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32)))
 		return -EFAULT;
 
+	memset(&ifc, 0, sizeof(ifc));
 	if (ifc32.ifcbuf == 0) {
 		ifc32.ifc_len = 0;
 		ifc.ifc_len = 0;