Patchwork [Lucid,CVE-2012-6542] llc: fix info leak via getsockname()

login
register
mail settings
Submitter Luis Henriques
Date March 26, 2013, 5:12 p.m.
Message ID <1364317957-16512-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/231483/
State New
Headers show

Comments

Luis Henriques - March 26, 2013, 5:12 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6542

BugLink: http://bugs.launchpad.net/bugs/1156743

The LLC code wrongly returns 0, i.e. "success", when the socket is
zapped. Together with the uninitialized uaddrlen pointer argument from
sys_getsockname this leads to an arbitrary memory leak of up to 128
bytes kernel stack via the getsockname() syscall.

Return an error instead when the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 3592aaeb80290bda0f2cf0b5456c97bfc638b192)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/llc/af_llc.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
Tim Gardner - March 26, 2013, 5:32 p.m.

Patch

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 2da8d14..606b6ad 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -912,14 +912,13 @@  static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
 	struct sockaddr_llc sllc;
 	struct sock *sk = sock->sk;
 	struct llc_sock *llc = llc_sk(sk);
-	int rc = 0;
+	int rc = -EBADF;
 
 	memset(&sllc, 0, sizeof(sllc));
 	lock_sock(sk);
 	if (sock_flag(sk, SOCK_ZAPPED))
 		goto out;
 	*uaddrlen = sizeof(sllc);
-	memset(uaddr, 0, *uaddrlen);
 	if (peer) {
 		rc = -ENOTCONN;
 		if (sk->sk_state != TCP_ESTABLISHED)