Patchwork [3.5.y.z,extended,stable] Patch "ipvs: info leak in __ip_vs_get_dest_entries()" has been added to staging queue

login
register
mail settings
Submitter Luis Henriques
Date July 5, 2013, 11:02 a.m.
Message ID <1373022144-24872-1-git-send-email-luis.henriques@canonical.com>
Download mbox | patch
Permalink /patch/257151/
State New
Headers show

Comments

Luis Henriques - July 5, 2013, 11:02 a.m.
This is a note to let you know that I have just added a patch titled

    ipvs: info leak in __ip_vs_get_dest_entries()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

From 99ace42a26369052a8cca7dd681565627c67a90d Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 3 Jun 2013 12:00:49 +0300
Subject: [PATCH] ipvs: info leak in __ip_vs_get_dest_entries()

commit a8241c63517ec0b900695daa9003cddc41c536a1 upstream.

The entry struct has a 2 byte hole after ->port and another 4 byte
hole after ->stats.outpkts.  You must have CAP_NET_ADMIN in your
namespace to hit this information leak.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 1 +
 1 file changed, 1 insertion(+)

--
1.8.1.2

Patch

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 72bf32a..526da6e 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2549,6 +2549,7 @@  __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
 		struct ip_vs_dest *dest;
 		struct ip_vs_dest_entry entry;

+		memset(&entry, 0, sizeof(entry));
 		list_for_each_entry(dest, &svc->destinations, n_list) {
 			if (count >= get->num_dests)
 				break;