[Lucid,CVE-2012-6540] ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)

Submitted by Luis Henriques on March 22, 2013, 3:05 p.m.

Details

Message ID 1363964730-15979-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques March 22, 2013, 3:05 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6540

BugLink: http://bugs.launchpad.net/bugs/1156732

If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
not set, __ip_vs_get_timeouts() does not fully initialize the structure
that gets copied to userland and that for leaks up to 12 bytes of kernel
stack. Add an explicit memset(0) before passing the structure to
__ip_vs_get_timeouts() to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Wensong Zhang <wensong@linux-vs.org>
Cc: Simon Horman <horms@verge.net.au>
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 2d8a041b7bfe1097af21441cb77d6af95f4f4680)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Conflicts:
	net/netfilter/ipvs/ip_vs_ctl.c
---
 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Tim Gardner March 22, 2013, 3:18 p.m.

Patch hide | download patch | download mbox

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 02b2610..9bcd972 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2455,6 +2455,7 @@  do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 	{
 		struct ip_vs_timeout_user t;
 
+		memset(&t, 0, sizeof(t));
 		__ip_vs_get_timeouts(&t);
 		if (copy_to_user(user, &t, sizeof(t)) != 0)
 			ret = -EFAULT;