Patchwork Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

login
register
mail settings
Submitter Filip Palian
Date May 8, 2011, 7:57 p.m.
Message ID <BANLkTik7WyQ977-+8XapTgBrVRMyexyHKg@mail.gmail.com>
Download mbox | patch
Permalink /patch/94603/
State Awaiting Upstream
Delegated to: David Miller
Headers show

Comments

Filip Palian - May 8, 2011, 7:57 p.m.
Hi,

Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.

patch no.1:
-- cut --
-- cut --

Found by Marek Kroemeke and Filip Palian. Special thanks to Vasiliy
Kulikov for verifying this bug.


Best regards.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Vasiliy Kulikov - May 9, 2011, 2:31 p.m.
On Sun, May 08, 2011 at 21:57 +0200, Filip Palian wrote:
> Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
> byte each. This byte in "cinfo" is copied to userspace uninitialized.

Your mail client mangles the patch, it should contain original
identation tabs, not spaces.  Please see Documentation/email-clients.txt.

> patch no.1:

Don't send 2 patches as one email.  Either send 2 email or merge them
into one patch (if they are similar changes).  You'll ease maintainers'
work.

> Found by Marek Kroemeke and Filip Palian.

Please see Documentation/SubmittingPatches, chapter 12 to find out how
to sign the patch.

And please don't crosspost to oss-security and LKML - send a separate
email to o-s with a short description of a bug and a link to the LKML
thread.  LKML thread is a place to argue and discuss the solution, but
o-s subscribers are probably not interested in such a discussion.

Thanks,

Patch

--- a/net/bluetooth/l2cap_sock.c        2011-05-04 03:59:13.000000000 +0100
+++ b/net/bluetooth/l2cap_sock.c        2011-05-08 18:57:20.000000000 +0100
@@ -446,6 +446,7 @@  static int l2cap_sock_getsockopt_old(str
                        break;
                }

+               memset(&cinfo, 0, sizeof(cinfo));
                cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
                memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);

-- cut --

patch no.2:
-- cut --
--- a/net/bluetooth/rfcomm/sock.c       2011-05-04 03:59:13.000000000 +0100
+++ b/net/bluetooth/rfcomm/sock.c       2011-05-08 19:00:24.000000000 +0100
@@ -787,6 +787,7 @@  static int rfcomm_sock_getsockopt_old(st

                l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;

+               memset(&cinfo, 0, sizeof(cinfo));
                cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
                memcpy(cinfo.dev_class,
l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);