[Lucid,CVE-2014-1445] wanxl: fix info leak in ioctl

Message ID	1390915277-4655-3-git-send-email-luis.henriques@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Luis Henriques <luis.henriques@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [Lucid][CVE-2014-1445] wanxl: fix info leak in ioctl Date: Tue, 28 Jan 2014 13:21:16 +0000 Message-Id: <1390915277-4655-3-git-send-email-luis.henriques@canonical.com> In-Reply-To: <1390915277-4655-1-git-send-email-luis.henriques@canonical.com> References: <1390915277-4655-1-git-send-email-luis.henriques@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com

Message ID

1390915277-4655-3-git-send-email-luis.henriques@canonical.com

State

New

Headers

From: Luis Henriques <luis.henriques@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Lucid][CVE-2014-1445] wanxl: fix info leak in ioctl
Date: Tue, 28 Jan 2014 13:21:16 +0000
Message-Id: <1390915277-4655-3-git-send-email-luis.henriques@canonical.com>
In-Reply-To: <1390915277-4655-1-git-send-email-luis.henriques@canonical.com>
References: <1390915277-4655-1-git-send-email-luis.henriques@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

Commit Message

Luis Henriques Jan. 28, 2014, 1:21 p.m. UTC

From: Salva Peiró <speiro@ai2.upv.es>

CVE-2014-1445

BugLink: http://bugs.launchpad.net/bugs/1271444

The wanxl_ioctl() code fails to initialize the two padding bytes of
struct sync_serial_settings after the ->loopback member. Add an explicit
memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1)
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 drivers/net/wan/wanxl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wan/wanxl.c b/drivers/net/wan/wanxl.c
index daee8a0..b52b378 100644
--- a/drivers/net/wan/wanxl.c
+++ b/drivers/net/wan/wanxl.c
@@ -354,6 +354,7 @@  static int wanxl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 			ifr->ifr_settings.size = size; /* data size wanted */
 			return -ENOBUFS;
 		}
+		memset(&line, 0, sizeof(line));
 		line.clock_type = get_status(port)->clocking;
 		line.clock_rate = 0;
 		line.loopback = 0;

[Lucid,CVE-2014-1445] wanxl: fix info leak in ioctl

Commit Message

Patch