Patchwork [047/150] rtnl: fix info leak on RTM_GETLINK request for VF devices

login
register
mail settings
Submitter Luis Henriques
Date March 26, 2013, 3:19 p.m.
Message ID <1364311249-14454-48-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/231292/
State New
Headers show

Comments

Luis Henriques - March 26, 2013, 3:19 p.m.
3.5.7.9 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Krause <minipli@googlemail.com>

commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 upstream.

Initialize the mac address buffer with 0 as the driver specific function
will probably not fill the whole buffer. In fact, all in-kernel drivers
fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
bytes. Therefore we currently leak 26 bytes of stack memory to userland
via the netlink interface.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/core/rtnetlink.c | 1 +
 1 file changed, 1 insertion(+)

Patch

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6c50ac0..8f37bec 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -981,6 +981,7 @@  static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
 			 * report anything.
 			 */
 			ivi.spoofchk = -1;
+			memset(ivi.mac, 0, sizeof(ivi.mac));
 			if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
 				break;
 			vf_mac.vf =