From patchwork Thu Feb 12 12:35:45 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Clement LECIGNE <clement.lecigne@netasq.com>
X-Patchwork-Id: 23013
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id CB9F8DDDF3
	for <patchwork-incoming@ozlabs.org>;
	Fri, 13 Feb 2009 00:01:12 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757716AbZBLNBH (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 12 Feb 2009 08:01:07 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757552AbZBLNBF
	(ORCPT <rfc822; netdev-outgoing>); Thu, 12 Feb 2009 08:01:05 -0500
Received: from netasq.netasq.com ([213.30.137.178]:30554 "EHLO
	netasq.netasq.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1757245AbZBLNBE (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 12 Feb 2009 08:01:04 -0500
X-Greylist: delayed 1497 seconds by postgrey-1.27 at vger.kernel.org;
	Thu, 12 Feb 2009 08:01:03 EST
Received: from localhost (unknown [10.0.0.126])
	by netasq.netasq.com (Postfix) with ESMTP
	id 88FA745381; Thu, 12 Feb 2009 13:36:04 +0100 (CET)
Date: Thu, 12 Feb 2009 13:35:45 +0100
From: Clement LECIGNE <clement.lecigne@netasq.com>
To: linux-kernel@vger.kernel.org
Cc: netdev@vger.kernel.org
Subject: [PATCH] 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try
	#2
Message-ID: <20090212123545.GA46788@clem1.netasq.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Hi,

In function sock_getsockopt() located in net/core/sock.c, optval v.val
is not correctly initialized and directly returned in userland in case
we have SO_BSDCOMPAT option set.

This dummy code should trigger the bug:

int main(void)
{
	unsigned char buf[4] = { 0, 0, 0, 0 };
	int len;
	int sock;
	sock = socket(33, 2, 2);
	getsockopt(sock, 1, SO_BSDCOMPAT, &buf, &len);
	printf("%x%x%x%x\n", buf[0], buf[1], buf[2], buf[3]);
	close(sock);
}

Here is a patch that fix this bug by initalizing v.val just after its declaration.


Signed-off-by: Clément Lecigne <clement.lecigne@netasq.com>

--- linux/net/core/sock.c.orig	2008-12-12 12:27:46.000000000 -0800
+++ linux/net/core/sock.c	2008-12-12 12:27:50.000000000 -0800
@@ -695,6 +695,8 @@ int sock_getsockopt(struct socket *sock,
 	if (len < 0)
 		return -EINVAL;
 
+	v.val = 0;
+
 	switch(optname) {
 	case SO_DEBUG:
 		v.val = sock_flag(sk, SOCK_DBG);