Patchwork [Lucid,CVE-2012-6545,2/2] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)

login
register
mail settings
Submitter Luis Henriques
Date March 26, 2013, 5:17 p.m.
Message ID <1364318222-16926-2-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/231486/
State New
Headers show

Comments

Luis Henriques - March 26, 2013, 5:17 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6545

BugLink: http://bugs.launchpad.net/bugs/1156757

The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.

Allocate the memory using kzalloc() to fix this issue.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Conflicts:
	net/bluetooth/rfcomm/tty.c
---
 net/bluetooth/rfcomm/tty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 5f6a305..faea3ef 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -472,7 +472,7 @@  static int rfcomm_get_dev_list(void __user *arg)
 
 	size = sizeof(*dl) + dev_num * sizeof(*di);
 
-	if (!(dl = kmalloc(size, GFP_KERNEL)))
+	if (!(dl = kzalloc(size, GFP_KERNEL)))
 		return -ENOMEM;
 
 	di = dl->dev_info;