Patchwork [Lucid,CVE-2012-6549] isofs: avoid info leak on export

login
register
mail settings
Submitter Luis Henriques
Date April 17, 2013, 12:24 p.m.
Message ID <1366201481-12482-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/237210/
State New
Headers show

Comments

Luis Henriques - April 17, 2013, 12:24 p.m.
From: Mathias Krause <minipli@googlemail.com>

CVE-2012-6549

BugLink: http://bugs.launchpad.net/bugs/1156774

For type 1 the parent_offset member in struct isofs_fid gets copied
uninitialized to userland. Fix this by initializing it to 0.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
(cherry picked from commit fe685aabf7c8c9f138e5ea900954d295bf229175)

Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 fs/isofs/export.c | 1 +
 1 file changed, 1 insertion(+)
Tim Gardner - April 17, 2013, 12:55 p.m.
On 04/17/2013 06:24 AM, Luis Henriques wrote:
> From: Mathias Krause <minipli@googlemail.com>
> 
> CVE-2012-6549
> 
> BugLink: http://bugs.launchpad.net/bugs/1156774
> 
> For type 1 the parent_offset member in struct isofs_fid gets copied
> uninitialized to userland. Fix this by initializing it to 0.
> 
> Signed-off-by: Mathias Krause <minipli@googlemail.com>
> Signed-off-by: Jan Kara <jack@suse.cz>
> (cherry picked from commit fe685aabf7c8c9f138e5ea900954d295bf229175)
> 
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>  fs/isofs/export.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/isofs/export.c b/fs/isofs/export.c
> index e81a305..caec670 100644
> --- a/fs/isofs/export.c
> +++ b/fs/isofs/export.c
> @@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry,
>  	len = 3;
>  	fh32[0] = ei->i_iget5_block;
>   	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
> +	fh16[3] = 0;  /* avoid leaking uninitialized data */
>  	fh32[2] = inode->i_generation;
>  	if (connectable && !S_ISDIR(inode->i_mode)) {
>  		struct inode *parent;
>
Colin King - April 17, 2013, 12:55 p.m.
On 17/04/13 13:24, Luis Henriques wrote:
> From: Mathias Krause <minipli@googlemail.com>
>
> CVE-2012-6549
>
> BugLink: http://bugs.launchpad.net/bugs/1156774
>
> For type 1 the parent_offset member in struct isofs_fid gets copied
> uninitialized to userland. Fix this by initializing it to 0.
>
> Signed-off-by: Mathias Krause <minipli@googlemail.com>
> Signed-off-by: Jan Kara <jack@suse.cz>
> (cherry picked from commit fe685aabf7c8c9f138e5ea900954d295bf229175)
>
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
>   fs/isofs/export.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/fs/isofs/export.c b/fs/isofs/export.c
> index e81a305..caec670 100644
> --- a/fs/isofs/export.c
> +++ b/fs/isofs/export.c
> @@ -131,6 +131,7 @@ isofs_export_encode_fh(struct dentry *dentry,
>   	len = 3;
>   	fh32[0] = ei->i_iget5_block;
>    	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
> +	fh16[3] = 0;  /* avoid leaking uninitialized data */
>   	fh32[2] = inode->i_generation;
>   	if (connectable && !S_ISDIR(inode->i_mode)) {
>   		struct inode *parent;
>
Clean cherry pick, looks good to me.

Acked-by: Colin Ian King <colin.king@canonical.com>

Patch

diff --git a/fs/isofs/export.c b/fs/isofs/export.c
index e81a305..caec670 100644
--- a/fs/isofs/export.c
+++ b/fs/isofs/export.c
@@ -131,6 +131,7 @@  isofs_export_encode_fh(struct dentry *dentry,
 	len = 3;
 	fh32[0] = ei->i_iget5_block;
  	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
+	fh16[3] = 0;  /* avoid leaking uninitialized data */
 	fh32[2] = inode->i_generation;
 	if (connectable && !S_ISDIR(inode->i_mode)) {
 		struct inode *parent;