Patchwork [Lucid,CVE-2012-6540] ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)

login
register
mail settings
Submitter Luis Henriques
Date March 22, 2013, 3:05 p.m.
Message ID <1363964730-15979-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/230082/
State New
Headers show

Comments

Luis Henriques - March 22, 2013, 3:05 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6540

BugLink: http://bugs.launchpad.net/bugs/1156732

If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
not set, __ip_vs_get_timeouts() does not fully initialize the structure
that gets copied to userland and that for leaks up to 12 bytes of kernel
stack. Add an explicit memset(0) before passing the structure to
__ip_vs_get_timeouts() to avoid the info leak.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Wensong Zhang <wensong@linux-vs.org>
Cc: Simon Horman <horms@verge.net.au>
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 2d8a041b7bfe1097af21441cb77d6af95f4f4680)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Conflicts:
	net/netfilter/ipvs/ip_vs_ctl.c
---
 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
 1 file changed, 1 insertion(+)
Tim Gardner - March 22, 2013, 3:18 p.m.

Patch

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 02b2610..9bcd972 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2455,6 +2455,7 @@  do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 	{
 		struct ip_vs_timeout_user t;
 
+		memset(&t, 0, sizeof(t));
 		__ip_vs_get_timeouts(&t);
 		if (copy_to_user(user, &t, sizeof(t)) != 0)
 			ret = -EFAULT;