From patchwork Tue May 7 13:38:05 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 242249 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id B85B32C015B for ; Tue, 7 May 2013 23:43:20 +1000 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UZiAj-0004A6-Mg; Tue, 07 May 2013 13:43:13 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UZi8d-0002h6-A6 for kernel-team@lists.ubuntu.com; Tue, 07 May 2013 13:41:03 +0000 Received: from bl16-161-151.dsl.telepac.pt ([188.81.161.151] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1UZi8c-0000O8-LS; Tue, 07 May 2013 13:41:02 +0000 From: Luis Henriques To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, kernel-team@lists.ubuntu.com Subject: [PATCH 039/118] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg() Date: Tue, 7 May 2013 14:38:05 +0100 Message-Id: <1367933964-1564-40-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.1.2 In-Reply-To: <1367933964-1564-1-git-send-email-luis.henriques@canonical.com> References: <1367933964-1564-1-git-send-email-luis.henriques@canonical.com> X-Extended-Stable: 3.5 Cc: Samuel Ortiz , Lauro Ramos Venancio , "David S. Miller" , Mathias Krause , Aloisio Almeida Jr X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com 3.5.7.12 -stable review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb upstream. The code in llcp_sock_recvmsg() does not initialize all the members of struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it initialize the padding bytes of the structure inserted by the compiler for alignment. Also, if the socket is in state LLCP_CLOSED or is shutting down during receive the msg_namelen member is not updated to 0 while otherwise returning with 0, i.e. "success". The msg_namelen update is also missing for stream and seqpacket sockets which don't fill the sockaddr info. Both issues lead to the fact that the code will leak uninitialized kernel stack bytes in net/socket.c. Fix the first issue by initializing the memory used for sockaddr info with memset(0). Fix the second one by setting msg_namelen to 0 early. It will be updated later if we're going to fill the msg_name member. Cc: Lauro Ramos Venancio Cc: Aloisio Almeida Jr Cc: Samuel Ortiz Signed-off-by: Mathias Krause Signed-off-by: David S. Miller [ luis: 3.5 is not affected by first issue. ] Signed-off-by: Luis Henriques --- net/nfc/llcp/sock.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c index e06d458..80200ac 100644 --- a/net/nfc/llcp/sock.c +++ b/net/nfc/llcp/sock.c @@ -570,6 +570,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock, pr_debug("%p %zu\n", sk, len); + msg->msg_namelen = 0; + lock_sock(sk); if (sk->sk_state == LLCP_CLOSED &&