[Lucid,CVE-2012-6545,2/2] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)

Message ID 1364318222-16926-2-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques March 26, 2013, 5:17 p.m.
From: Mathias Krause <minipli@googlemail.com>


BugLink: http://bugs.launchpad.net/bugs/1156757

The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.

Allocate the memory using kzalloc() to fix this issue.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

 net/bluetooth/rfcomm/tty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 5f6a305..faea3ef 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -472,7 +472,7 @@  static int rfcomm_get_dev_list(void __user *arg)
 	size = sizeof(*dl) + dev_num * sizeof(*di);
-	if (!(dl = kmalloc(size, GFP_KERNEL)))
+	if (!(dl = kzalloc(size, GFP_KERNEL)))
 		return -ENOMEM;
 	di = dl->dev_info;