Patchwork [Lucid,CVE-2012-6545,2/2] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)

mail settings
Submitter Luis Henriques
Date March 26, 2013, 5:17 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/231486/
State New
Headers show


Luis Henriques - March 26, 2013, 5:17 p.m.
From: Mathias Krause <>



The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.

Allocate the memory using kzalloc() to fix this issue.

Signed-off-by: Mathias Krause <>
Cc: Marcel Holtmann <>
Cc: Gustavo Padovan <>
Cc: Johan Hedberg <>
Signed-off-by: David S. Miller <>
(back ported from commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a)

Signed-off-by: Luis Henriques <>

 net/bluetooth/rfcomm/tty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 5f6a305..faea3ef 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -472,7 +472,7 @@  static int rfcomm_get_dev_list(void __user *arg)
 	size = sizeof(*dl) + dev_num * sizeof(*di);
-	if (!(dl = kmalloc(size, GFP_KERNEL)))
+	if (!(dl = kzalloc(size, GFP_KERNEL)))
 		return -ENOMEM;
 	di = dl->dev_info;