From patchwork Sun Apr 7 11:51:51 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 234491 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A40372C00A0 for ; Sun, 7 Apr 2013 21:53:03 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933502Ab3DGLwd (ORCPT ); Sun, 7 Apr 2013 07:52:33 -0400 Received: from mail-bk0-f43.google.com ([209.85.214.43]:46754 "EHLO mail-bk0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933484Ab3DGLwa (ORCPT ); Sun, 7 Apr 2013 07:52:30 -0400 Received: by mail-bk0-f43.google.com with SMTP id jm2so2679676bkc.2 for ; Sun, 07 Apr 2013 04:52:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to :references; bh=rhu+mZAZSbM3RFWK6gCI50DFG0OD0bn2ul8sbvrdUxQ=; b=Z1MC8te3JOYIMyWoUO2ug5hdbEa0BQ9Ga0H+fq4XnwQPATPd79AnrWpcvXtPDv3X9r k27bY8mw+rO7PL2fCxNaWZ55n8wAhQOns3wuqlxae7A+xO6ZF4IdgBv3L5BwYaWRDlVl hurEah0NOhIaiKWZwvHRDhBGA0t1KhWEsG2+I2H87j/KQkbAYDZKBxLHpOwPRYpDUUp0 qkL3g+v0UjlpaKMvbk26UeSTipVGITdd3LOh8GKVR7/GBfiEXGK0mWsAQ4B4FnQKnkWh tINPxVLe4ejCcj92//J9mTqiQrN3B3OGxZC9EVxUCoiu0gtqpw/nLJbHUzZ9wrCUq7le Ym7w== X-Received: by 10.205.127.11 with SMTP id gy11mr9503151bkc.54.1365335548775; Sun, 07 Apr 2013 04:52:28 -0700 (PDT) Received: from jig.fritz.box (pD9EB4E1C.dip.t-dialin.net. [217.235.78.28]) by mx.google.com with ESMTPS id da16sm1974758bkb.2.2013.04.07.04.52.27 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 07 Apr 2013 04:52:28 -0700 (PDT) From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Allan Stephens , Aloisio Almeida Jr , Andy King , Arnaldo Carvalho de Melo , Dmitry Torokhov , George Zhang , Gustavo Padovan , Johan Hedberg , Jon Maloy , Lauro Ramos Venancio , Marcel Holtmann , Ralf Baechle , Samuel Ortiz , Samuel Ortiz , Sjur Braendeland , Ursula Braun , Brad Spengler , Mathias Krause Subject: [PATCH 05/16] Bluetooth: SCO - Fix missing msg_namelen update in sco_sock_recvmsg() Date: Sun, 7 Apr 2013 13:51:51 +0200 Message-Id: <1365335522-29931-6-git-send-email-minipli@googlemail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1365335522-29931-1-git-send-email-minipli@googlemail.com> References: <1365335522-29931-1-git-send-email-minipli@googlemail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If the socket is in state BT_CONNECT2 and BT_SK_DEFER_SETUP is set in the flags, sco_sock_recvmsg() returns early with 0 without updating the possibly set msg_namelen member. This, in turn, leads to a 128 byte kernel stack leak in net/socket.c. Fix this by updating msg_namelen in this case. For all other cases it will be handled in bt_sock_recvmsg(). Cc: Marcel Holtmann Cc: Gustavo Padovan Cc: Johan Hedberg Signed-off-by: Mathias Krause --- net/bluetooth/sco.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index fad0302..fb6192c 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -665,6 +665,7 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock, test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { hci_conn_accept(pi->conn->hcon, 0); sk->sk_state = BT_CONFIG; + msg->msg_namelen = 0; release_sock(sk); return 0;