From patchwork Mon Jan 31 16:20:34 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 81176 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 81A3FB70EB for ; Tue, 1 Feb 2011 03:20:59 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PjwUc-0000d2-G7; Mon, 31 Jan 2011 16:20:42 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1PjwUa-0000cj-A9 for kernel-team@lists.ubuntu.com; Mon, 31 Jan 2011 16:20:40 +0000 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1PjwUa-00023Q-6y; Mon, 31 Jan 2011 16:20:40 +0000 Received: from 212-139-222-124.dynamic.dsl.as9105.com ([212.139.222.124] helo=localhost.localdomain) by hutte.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1PjwUa-0001x8-37; Mon, 31 Jan 2011 16:20:40 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/1] net: ax25: fix information leak to userland Date: Mon, 31 Jan 2011 16:20:34 +0000 Message-Id: <1296490834-14335-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1296490834-14335-1-git-send-email-apw@canonical.com> References: <1296490834-14335-1-git-send-email-apw@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Vasiliy Kulikov Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater field of fsa struct, also the struct has padding bytes between sax25_call and sax25_ndigis fields. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov Signed-off-by: David S. Miller CVE-2010-3875 BugLink: http://bugs.launchpad.net/bugs/710714 (cherry picked from commit fe10ae53384e48c51996941b7720ee16995cbcb7 upstream) Signed-off-by: Andy Whitcroft --- net/ax25/af_ax25.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index cfdfd7e..6e2371a 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, ax25_cb *ax25; int err = 0; + memset(fsa, 0, sizeof(fsa)); lock_sock(sk); ax25 = ax25_sk(sk); @@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr, fsa->fsa_ax25.sax25_family = AF_AX25; fsa->fsa_ax25.sax25_call = ax25->dest_addr; - fsa->fsa_ax25.sax25_ndigis = 0; if (ax25->digipeat != NULL) { ndigi = ax25->digipeat->ndigi;