From patchwork Tue Apr 26 21:06:28 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leann Ogasawara X-Patchwork-Id: 92959 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 5426DB6EEE for ; Wed, 27 Apr 2011 07:07:47 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QEpTu-0008Dw-O8; Tue, 26 Apr 2011 21:07:38 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QEpSq-0007KG-7h for kernel-team@lists.ubuntu.com; Tue, 26 Apr 2011 21:06:32 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QEpSq-0000Ld-3J for ; Tue, 26 Apr 2011 21:06:32 +0000 Received: from c-76-105-148-120.hsd1.or.comcast.net ([76.105.148.120] helo=[192.168.1.3]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1QEpSp-0002bY-LX for kernel-team@lists.ubuntu.com; Tue, 26 Apr 2011 21:06:32 +0000 Subject: [Hardy] [CVE-2010-4655] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655 From: Leann Ogasawara To: kernel-team Date: Tue, 26 Apr 2011 14:06:28 -0700 Message-ID: <1303851988.2158.31.camel@adamo> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com The following changes since commit bb5c3ef299eb1122430f0beef24ca63c29deb6a7: Goldwyn Rodrigues (1): Treat writes as new when holes span across page boundaries, CVE-2011-0463 are available in the git repository at: git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2010-4655 Kees Cook (1): net: clear heap allocations for privileged ethtool actions, CVE-2010-4655 net/core/ethtool.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) From 485e20ad2db57eb064ef49087b2d9878b4131743 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Mon, 11 Oct 2010 12:23:25 -0700 Subject: [PATCH] net: clear heap allocations for privileged ethtool actions, CVE-2010-4655 BugLink: http://bugs.launchpad.net/bugs/771445 CVE-2010-4655 Several other ethtool functions leave heap uncleared (potentially) by drivers. Some interfaces appear safe (eeprom, etc), in that the sizes are well controlled. In some situations (e.g. unchecked error conditions), the heap will remain unchanged in areas before copying back to userspace. Note that these are less of an issue since these all require CAP_NET_ADMIN. Cc: stable@kernel.org Signed-off-by: Kees Cook Acked-by: Ben Hutchings Signed-off-by: David S. Miller (backport of commit 272b62c1f0f6f742046e45b50b6fec98860208a0) Signed-off-by: Leann Ogasawara Acked-by: Brad Figg Acked-by: John Johansen --- net/core/ethtool.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/core/ethtool.c b/net/core/ethtool.c index 1163eb2..28eb246 100644 --- a/net/core/ethtool.c +++ b/net/core/ethtool.c @@ -226,7 +226,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr) if (regs.len > reglen) regs.len = reglen; - regbuf = kmalloc(reglen, GFP_USER); + regbuf = kzalloc(reglen, GFP_USER); if (!regbuf) return -ENOMEM;