From patchwork Wed Nov 10 18:29:18 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kulikov Vasiliy X-Patchwork-Id: 70675 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4F59FB70E8 for ; Thu, 11 Nov 2010 05:29:54 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755416Ab0KJS32 (ORCPT ); Wed, 10 Nov 2010 13:29:28 -0500 Received: from mail-ew0-f46.google.com ([209.85.215.46]:41399 "EHLO mail-ew0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754148Ab0KJS31 (ORCPT ); Wed, 10 Nov 2010 13:29:27 -0500 Received: by ewy7 with SMTP id 7so528930ewy.19 for ; Wed, 10 Nov 2010 10:29:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:subject:date :message-id:x-mailer; bh=RKFljnCEnDxVIJndIlaSfaZJK6CHA9TUevkMUbg6Q2w=; b=uFeJPI0t9rRrS7taUXa6jgqIjWeCNR+pltr6g06prQZXTKWGtF2aYv9sES9Agz/53V /1UB+ICs11SOLY4iSyua0QDHwOesljLJExQQvNLm12UbUJf3yp0pWtIMDwEN+muZE1EL SpfyuL0dm9w3bTKvLsfXk2CSuUoru+wzWuB/M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; b=tq/ib5g152i4fYelzMQYIvMn6wzGPYLaIzVOP9rlk4s8ieQrdYS39+fEge9xetAPFZ CXTM72fpAx7l5vOxXIVW6aryBzFGjxddl+6WPM1Oqw8PXH3OFsVnB0NPlWfatdTCHVpI J4+gQ8PsOIMFhdDQrBG5F0mEEKoSukUQuYjMs= Received: by 10.213.113.211 with SMTP id b19mr863515ebq.94.1289413764652; Wed, 10 Nov 2010 10:29:24 -0800 (PST) Received: from localhost (ppp85-140-234-250.pppoe.mtu-net.ru [85.140.234.250]) by mx.google.com with ESMTPS id b52sm973181eei.13.2010.11.10.10.29.22 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 10 Nov 2010 10:29:23 -0800 (PST) From: Vasiliy Kulikov To: kernel-janitors@vger.kernel.org Cc: "David S. Miller" , Jiri Pirko , Eric Dumazet , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/3 RESEND] net: packet: fix information leak to userland Date: Wed, 10 Nov 2010 21:29:18 +0300 Message-Id: <1289413760-12510-1-git-send-email-segooon@gmail.com> X-Mailer: git-send-email 1.7.0.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov --- Compile tested. net/packet/af_packet.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 3616f27..0856a13 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1719,7 +1719,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr, rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex); if (dev) - strlcpy(uaddr->sa_data, dev->name, 15); + strncpy(uaddr->sa_data, dev->name, 14); else memset(uaddr->sa_data, 0, 14); rcu_read_unlock(); @@ -1742,6 +1742,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr, sll->sll_family = AF_PACKET; sll->sll_ifindex = po->ifindex; sll->sll_protocol = po->num; + sll->sll_pkttype = 0; rcu_read_lock(); dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex); if (dev) {