Patchwork [3.5.y.z,extended,stable] Patch "netrom: fix info leak via msg_name in nr_recvmsg()" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:34 p.m.
Message ID <1367451251-19737-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/240844/
State New
Headers show

Comments

Luis Henriques - May 1, 2013, 11:34 p.m.
This is a note to let you know that I have just added a patch titled

    netrom: fix info leak via msg_name in nr_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From eb57a65662ed9232a79b5f418acf03db836fe2ff Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli@googlemail.com>
Date: Sun, 7 Apr 2013 01:51:57 +0000
Subject: [PATCH] netrom: fix info leak via msg_name in nr_recvmsg()

commit 3ce5efad47b62c57a4f5c54248347085a750ce0e upstream.

In case msg_name is set the sockaddr info gets filled out, as
requested, but the code fails to initialize the padding bytes of
struct sockaddr_ax25 inserted by the compiler for alignment. Also
the sax25_ndigis member does not get assigned, leaking four more
bytes.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix both issues by initializing the memory with memset(0).

Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/netrom/af_netrom.c | 1 +
 1 file changed, 1 insertion(+)

--
1.8.1.2

Patch

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 1b9024e..72cad6c 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1177,6 +1177,7 @@  static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
 	}

 	if (sax != NULL) {
+		memset(sax, 0, sizeof(sax));
 		sax->sax25_family = AF_NETROM;
 		skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
 			      AX25_ADDR_LEN);