{"id":807030,"url":"http://patchwork.ozlabs.org/api/patches/807030/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/1504002694-1931-7-git-send-email-steffen.klassert@secunet.com/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1504002694-1931-7-git-send-email-steffen.klassert@secunet.com>","list_archive_url":null,"date":"2017-08-29T10:31:33","name":"[6/7] xfrm_user: fix info leak in build_expire()","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"cad443481f9ee93433780f8bf78942be79f486fa","submitter":{"id":1442,"url":"http://patchwork.ozlabs.org/api/people/1442/?format=json","name":"Steffen Klassert","email":"steffen.klassert@secunet.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/1504002694-1931-7-git-send-email-steffen.klassert@secunet.com/mbox/","series":[{"id":343,"url":"http://patchwork.ozlabs.org/api/series/343/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=343","date":"2017-08-29T10:31:28","name":"[1/7] net: xfrm: don't double-hold dst when sk_policy in use.","version":1,"mbox":"http://patchwork.ozlabs.org/series/343/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/807030/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/807030/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xhQMH0fxhz9t45\n\tfor <patchwork-incoming@ozlabs.org>;\n\tTue, 29 Aug 2017 20:47:11 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752302AbdH2Kbz (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tTue, 29 Aug 2017 06:31:55 -0400","from a.mx.secunet.com ([62.96.220.36]:50686 \"EHLO a.mx.secunet.com\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1752172AbdH2Kbo (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tTue, 29 Aug 2017 06:31:44 -0400","from localhost (localhost [127.0.0.1])\n\tby a.mx.secunet.com (Postfix) with ESMTP id 264F320192;\n\tTue, 29 Aug 2017 12:31:43 +0200 (CEST)","from a.mx.secunet.com ([127.0.0.1])\n\tby localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id lBQy2jKbqo_P; Tue, 29 Aug 2017 12:31:42 +0200 (CEST)","from mail-essen-01.secunet.de (mail-essen-01.secunet.de\n\t[10.53.40.204])\n\t(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby a.mx.secunet.com (Postfix) with ESMTPS id DF728201AE;\n\tTue, 29 Aug 2017 12:31:41 +0200 (CEST)","from gauss2.secunet.de (10.182.7.193) by mail-essen-01.secunet.de\n\t(10.53.40.204) with Microsoft SMTP Server id 14.3.361.1;\n\tTue, 29 Aug 2017 12:31:41 +0200","by gauss2.secunet.de (Postfix, from userid 1000) id 55E7914058A;\n\tTue, 29 Aug 2017 12:31:41 +0200 (CEST)"],"X-Virus-Scanned":"by secunet","From":"Steffen Klassert <steffen.klassert@secunet.com>","To":"David Miller <davem@davemloft.net>","CC":"Herbert Xu <herbert@gondor.apana.org.au>,\n\tSteffen Klassert <steffen.klassert@secunet.com>, <netdev@vger.kernel.org>","Subject":"[PATCH 6/7] xfrm_user: fix info leak in build_expire()","Date":"Tue, 29 Aug 2017 12:31:33 +0200","Message-ID":"<1504002694-1931-7-git-send-email-steffen.klassert@secunet.com>","X-Mailer":"git-send-email 2.7.4","In-Reply-To":"<1504002694-1931-1-git-send-email-steffen.klassert@secunet.com>","References":"<1504002694-1931-1-git-send-email-steffen.klassert@secunet.com>","MIME-Version":"1.0","Content-Type":"text/plain","X-G-Data-MailSecurity-for-Exchange-State":"0","X-G-Data-MailSecurity-for-Exchange-Error":"0","X-G-Data-MailSecurity-for-Exchange-Sender":"23","X-G-Data-MailSecurity-for-Exchange-Server":"d65e63f7-5c15-413f-8f63-c0d707471c93","X-EXCLAIMER-MD-CONFIG":"2c86f778-e09b-4440-8b15-867914633a10","X-G-Data-MailSecurity-for-Exchange-Guid":"964075C6-8DF6-426B-AB68-CD197E36E835","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"From: Mathias Krause <minipli@googlemail.com>\n\nThe memory reserved to dump the expired xfrm state includes padding\nbytes in struct xfrm_user_expire added by the compiler for alignment. To\nprevent the heap info leak, memset(0) the remainder of the struct.\nInitializing the whole structure isn't needed as copy_to_user_state()\nalready takes care of clearing the padding bytes within the 'state'\nmember.\n\nSigned-off-by: Mathias Krause <minipli@googlemail.com>\nSigned-off-by: Steffen Klassert <steffen.klassert@secunet.com>\n---\n net/xfrm/xfrm_user.c | 2 ++\n 1 file changed, 2 insertions(+)","diff":"diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c\nindex c33516e..2cbdc81 100644\n--- a/net/xfrm/xfrm_user.c\n+++ b/net/xfrm/xfrm_user.c\n@@ -2578,6 +2578,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct\n \tue = nlmsg_data(nlh);\n \tcopy_to_user_state(x, &ue->state);\n \tue->hard = (c->data.hard != 0) ? 1 : 0;\n+\t/* clear the padding bytes */\n+\tmemset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));\n \n \terr = xfrm_mark_put(skb, &x->mark);\n \tif (err)\n","prefixes":["6/7"]}