Patchwork [3.5.y.z,extended,stable] Patch "ax25: fix info leak via msg_name in ax25_recvmsg()" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:33 p.m.
Message ID <1367451230-19475-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/240835/
State New
Headers show

Comments

Luis Henriques - May 1, 2013, 11:33 p.m.
This is a note to let you know that I have just added a patch titled

    ax25: fix info leak via msg_name in ax25_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From dee9c00b03676534a3614d30e3dcf5b4b8c908ba Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sun, 7 Apr 2013 01:51:48 +0000
Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()

commit ef3313e84acbf349caecae942ab3ab731471f1a1 upstream.

When msg_namelen is non-zero the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of struct
sockaddr_ax25 inserted by the compiler for alignment. Additionally the
msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
not always filled up to this size.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix both issues by initializing the memory with memset(0).

Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/ax25/af_ax25.c | 1 +
 1 file changed, 1 insertion(+)

--
1.8.1.2

Patch

diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 779095d..d53a123 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1647,6 +1647,7 @@  static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
 		ax25_address src;
 		const unsigned char *mac = skb_mac_header(skb);

+		memset(sax, 0, sizeof(struct full_sockaddr_ax25));
 		ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
 				&digi, NULL, NULL);
 		sax->sax25_family = AF_AX25;