From patchwork Tue Nov  9 22:28:44 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Rosenberg <drosenberg@vsecurity.com>
X-Patchwork-Id: 70584
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id A0E5BB7122
	for <patchwork-incoming@ozlabs.org>;
	Wed, 10 Nov 2010 09:29:00 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754437Ab0KIW2z (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 9 Nov 2010 17:28:55 -0500
Received: from mx1.vsecurity.com ([209.67.252.12]:56575 "EHLO
	mx1.vsecurity.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751607Ab0KIW2y (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 9 Nov 2010 17:28:54 -0500
Received: (qmail 43639 invoked from network); 9 Nov 2010 22:27:43 -0000
Received: from unknown (HELO [172.28.170.78]) (drosenbe@[206.205.176.2])
	(envelope-sender <drosenberg@vsecurity.com>)
	by mx1.vsecurity.com (qmail-ldap-1.03) with SMTP
	for <netdev@vger.kernel.org>; 9 Nov 2010 22:27:43 -0000
Subject: [PATCH] Prevent reading uninitialized memory with socket filters
From: Dan Rosenberg <drosenberg@vsecurity.com>
To: netdev@vger.kernel.org
Cc: stable@kernel.org, security@kernel.org
Date: Tue, 09 Nov 2010 17:28:44 -0500
Message-ID: <1289341724.7380.13.camel@dan>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3 
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The "mem" array used as scratch space for socket filters is not
initialized, allowing unprivileged users to leak kernel stack bytes.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
---
 net/core/filter.c               |    2 ++
 1 file changed, 2 insertions(+), 0 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/core/filter.c b/net/core/filter.c
index 7beaec3..2749ba0 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -121,6 +121,8 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
 	int k;
 	int pc;
 
+	memset(mem, 0, sizeof(mem));
+
 	/*
 	 * Process array of filter instructions.
 	 */