From patchwork Tue Mar 26 17:18:32 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 231488 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id C66692C00C2 for ; Wed, 27 Mar 2013 04:18:42 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UKXW8-0000Z1-Ov; Tue, 26 Mar 2013 17:18:36 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UKXW7-0000Yn-8z for kernel-team@lists.ubuntu.com; Tue, 26 Mar 2013 17:18:35 +0000 Received: from bl20-143-66.dsl.telepac.pt ([2.81.143.66] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1UKXW7-0001WR-3Y for kernel-team@lists.ubuntu.com; Tue, 26 Mar 2013 17:18:35 +0000 From: Luis Henriques To: kernel-team@lists.ubuntu.com Subject: [Lucid CVE-2012-6546 1/2] atm: fix info leak via getsockname() Date: Tue, 26 Mar 2013 17:18:32 +0000 Message-Id: <1364318313-17073-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.1.2 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Mathias Krause CVE-2012-6546 BugLink: http://bugs.launchpad.net/bugs/1156759 The ATM code fails to initialize the two padding bytes of struct sockaddr_atmpvc inserted for alignment. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Mathias Krause Signed-off-by: David S. Miller (back ported from commit 3c0c5cfdcd4d69ffc4b9c0907cec99039f30a50a) Signed-off-by: Luis Henriques Conflicts: net/atm/pvc.c --- net/atm/pvc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/atm/pvc.c b/net/atm/pvc.c index d4c0245..523c21a 100644 --- a/net/atm/pvc.c +++ b/net/atm/pvc.c @@ -93,6 +93,7 @@ static int pvc_getname(struct socket *sock,struct sockaddr *sockaddr, if (!vcc->dev || !test_bit(ATM_VF_ADDR,&vcc->flags)) return -ENOTCONN; *sockaddr_len = sizeof(struct sockaddr_atmpvc); addr = (struct sockaddr_atmpvc *) sockaddr; + memset(addr, 0, sizeof(*addr)); addr->sap_family = AF_ATMPVC; addr->sap_addr.itf = vcc->dev->number; addr->sap_addr.vpi = vcc->vpi;