From patchwork Sat Oct 30 14:26:35 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kulikov Vasiliy <segooon@gmail.com>
X-Patchwork-Id: 69658
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id BE916B70A8
	for <patchwork-incoming@ozlabs.org>;
	Sun, 31 Oct 2010 01:27:49 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754425Ab0J3O0v (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sat, 30 Oct 2010 10:26:51 -0400
Received: from mail-ey0-f174.google.com ([209.85.215.174]:51790 "EHLO
	mail-ey0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754221Ab0J3O0m (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sat, 30 Oct 2010 10:26:42 -0400
Received: by eye27 with SMTP id 27so2633732eye.19
	for <multiple recipients>; Sat, 30 Oct 2010 07:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:from:to:cc:subject:date
	:message-id:x-mailer;
	bh=9JkBisNRCH6Ee8Qn6X5gJF6QtCY02g51py0F+2HOwy0=;
	b=kWFaO23QIZXjFQoMc5tkZBxmzWY+gSKjMmmXZGIWVH5ABwOWw9pU5I0FVqTMGVJuPn
	A2zGBanJsTpSpTtOlzX3mYpvIyytdpJTDiCc+vOr+V4xtY+DOO5MgkEv5drXp+TiNkL0
	8vdOBN7ebdSeqfoR71LEFxt8bU0+2bY25ZeV8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=from:to:cc:subject:date:message-id:x-mailer;
	b=mDY8RoPKyoRg5QsODGSIbETOvBlQpnFVv1pCm/VEzzlTqzcS9mQ3qZ+JMSU9nFzbW3
	rC5LpWfTfASie86afgi9WVcb1uxON48q7etxYhXZDgA3LY8MdIpPuWWfM9cyoUnzSPba
	Y9tPMByALsCif+F+k9u4T6E5kKgTFaScWx4T8=
Received: by 10.14.37.10 with SMTP id x10mr10863068eea.30.1288448800517;
	Sat, 30 Oct 2010 07:26:40 -0700 (PDT)
Received: from localhost (ppp91-78-210-135.pppoe.mtu-net.ru [91.78.210.135])
	by mx.google.com with ESMTPS id
	v51sm2617628eeh.16.2010.10.30.07.26.38
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Sat, 30 Oct 2010 07:26:39 -0700 (PDT)
From: Vasiliy Kulikov <segooon@gmail.com>
To: kernel-janitors@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Eric Dumazet <eric.dumazet@gmail.com>, Tejun Heo <tj@kernel.org>,
	"Serge E. Hallyn" <serge@hallyn.com>, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] net: core: scm: fix information leak to userland
Date: Sat, 30 Oct 2010 18:26:35 +0400
Message-Id: <1288448796-6147-1-git-send-email-segooon@gmail.com>
X-Mailer: git-send-email 1.7.0.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Structure cmsghdr is copied to userland with padding bytes
unitialized on architectures where __kernel_size_t is unsigned long.
It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
---
 Compile tested.

 net/core/scm.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/core/scm.c b/net/core/scm.c
index 413cab8..a4a9b70 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -233,6 +233,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
 		msg->msg_flags |= MSG_CTRUNC;
 		cmlen = msg->msg_controllen;
 	}
+	memset(&cmhdr, 0, sizeof(cmhdr));
 	cmhdr.cmsg_level = level;
 	cmhdr.cmsg_type = type;
 	cmhdr.cmsg_len = cmlen;