From: Andi Kleen <andi@firstfloor.org>
To: segooon@gmail.com, davem@davemloft.net, gregkh@suse.de,
ak@linux.intel.com, linux-kernel@vger.kernel.org,
stable@kernel.org
Subject: [PATCH] [60/139] net: ax25: fix information leak to userland
Date: Tue, 1 Feb 2011 16:44:16 -0800 (PST) [thread overview]
Message-ID: <20110202004416.9AA9B3E09BD@tassilo.jf.intel.com> (raw)
In-Reply-To: <20110201443.618138584@firstfloor.org>
2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------
From: Vasiliy Kulikov <segooon@gmail.com>
[ Upstream commit fe10ae53384e48c51996941b7720ee16995cbcb7 ]
Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
field of fsa struct, also the struct has padding bytes between
sax25_call and sax25_ndigis fields. This structure is then copied to
userland. It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
net/ax25/af_ax25.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.35.y/net/ax25/af_ax25.c
===================================================================
--- linux-2.6.35.y.orig/net/ax25/af_ax25.c
+++ linux-2.6.35.y/net/ax25/af_ax25.c
@@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *s
ax25_cb *ax25;
int err = 0;
+ memset(fsa, 0, sizeof(fsa));
lock_sock(sk);
ax25 = ax25_sk(sk);
@@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *s
fsa->fsa_ax25.sax25_family = AF_AX25;
fsa->fsa_ax25.sax25_call = ax25->dest_addr;
- fsa->fsa_ax25.sax25_ndigis = 0;
if (ax25->digipeat != NULL) {
ndigi = ax25->digipeat->ndigi;
next prev parent reply other threads:[~2011-02-02 1:01 UTC|newest]
Thread overview: 149+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-02 0:43 [PATCH] [0/139] 2.6.35.11 longterm review Andi Kleen
2011-02-02 0:43 ` [PATCH] [1/139] x86, hotplug: Use mwait to offline a processor, fix the legacy case Andi Kleen
2011-02-02 0:43 ` [PATCH] [2/139] fuse: verify ioctl retries Andi Kleen
2011-02-02 0:43 ` [PATCH] [3/139] fuse: fix ioctl when server is 32bit Andi Kleen
2011-02-02 0:43 ` [PATCH] [4/139] ALSA: HDA: Quirk for Dell Vostro 320 to make microphone work Andi Kleen
2011-02-02 0:43 ` [PATCH] [5/139] ALSA: hda: Use position_fix=1 for Acer Aspire 5538 to enable capture on internal mic Andi Kleen
2011-02-02 0:43 ` [PATCH] [6/139] ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and capture Andi Kleen
2011-02-02 0:43 ` [PATCH] [7/139] drm/radeon/kms: don't apply 7xx HDP flush workaround on AGP Andi Kleen
2011-02-02 0:43 ` [PATCH] [8/139] drm/kms: remove spaces from connector names (v2) Andi Kleen
2011-02-02 0:43 ` [PATCH] [9/139] drm/radeon/kms: fix vram base calculation on rs780/rs880 Andi Kleen
2011-02-02 0:43 ` [PATCH] [10/139] nohz: Fix printk_needs_cpu() return value on offline cpus Andi Kleen
2011-02-02 0:43 ` [PATCH] [11/139] nohz: Fix get_next_timer_interrupt() vs cpu hotplug Andi Kleen
2011-02-02 0:43 ` [PATCH] [12/139] NFS: Fix panic after nfs_umount() Andi Kleen
2011-02-02 0:43 ` [PATCH] [13/139] nfsd: Fix possible BUG_ON firing in set_change_info Andi Kleen
2011-02-02 0:43 ` [PATCH] [14/139] NFS: Fix fcntl F_GETLK not reporting some conflicts Andi Kleen
2011-02-02 0:43 ` [PATCH] [15/139] sunrpc: prevent use-after-free on clearing XPT_BUSY Andi Kleen
2011-02-02 0:43 ` [PATCH] [16/139] hwmon: (adm1026) Allow 1 as a valid divider value Andi Kleen
2011-02-02 0:43 ` [PATCH] [17/139] hwmon: (adm1026) Fix setting fan_div Andi Kleen
2011-02-02 0:43 ` [PATCH] [18/139] EDAC: Fix workqueue-related crashes Andi Kleen
2011-02-02 0:43 ` [PATCH] [19/139] amd64_edac: Fix interleaving check Andi Kleen
2011-02-02 0:43 ` [PATCH] [20/139] ASoC: Fix swap of left and right channels for WM8993/4 speaker boost gain Andi Kleen
2011-02-02 0:43 ` [PATCH] [21/139] ASoC: Fix off by one error in WM8994 EQ register bank size Andi Kleen
2011-02-02 0:43 ` [PATCH] [22/139] ASoC: WM8580: Fix R8 initial value Andi Kleen
2011-02-02 0:43 ` [PATCH] [23/139] ASoC: fix deemphasis control in wm8904/55/60 codecs Andi Kleen
2011-02-02 0:43 ` [PATCH] [24/139] bootmem: Add alloc_bootmem_align() Andi Kleen
2011-02-02 0:43 ` [PATCH] [25/139] x86, xsave: Use alloc_bootmem_align() instead of alloc_bootmem() Andi Kleen
2011-02-02 0:43 ` [PATCH] [26/139] IB/uverbs: Handle large number of entries in poll CQ Andi Kleen
2011-02-02 0:43 ` [PATCH] [27/139] PM / Hibernate: Fix PM_POST_* notification with user-space suspend Andi Kleen
2011-02-02 0:43 ` [PATCH] [28/139] ARM: 6535/1: V6 MPCore v6_dma_inv_range and v6_dma_flush_range RWFO fix Andi Kleen
2011-02-02 0:43 ` [PATCH] [29/139] qla2xxx: Correct issue where NPIV-config data was not being allocated for 82xx parts Andi Kleen
2011-02-02 0:43 ` [PATCH] [30/139] qla2xxx: Populate Command Type 6 LUN field properly Andi Kleen
2011-02-02 0:43 ` [PATCH] [31/139] llc: fix a device refcount imbalance Andi Kleen
2011-02-02 0:43 ` [PATCH] [32/139] ath9k: Disable SWBA interrupt on remove_interface Andi Kleen
2011-02-02 0:43 ` [PATCH] [33/139] ath9k: fix bug in tx power Andi Kleen
2011-02-02 0:43 ` [PATCH] [34/139] mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs Andi Kleen
2011-02-02 10:53 ` Helmut Schaa
2011-02-03 0:25 ` Andi Kleen
2011-02-02 0:43 ` [PATCH] [35/139] SPARC/LEON: removed constant timer initialization as if HZ=100, now it reflects the value of HZ Andi Kleen
2011-02-02 0:43 ` [PATCH] [36/139] sparc64: Delete prom_puts() unused Andi Kleen
2011-02-02 0:43 ` [PATCH] [37/139] sparc: Remove prom_pathtoinode() Andi Kleen
2011-02-02 0:43 ` [PATCH] [38/139] sparc: Kill prom devops_{32,64}.c Andi Kleen
2011-02-02 0:43 ` [PATCH] [39/139] sparc64: Unexport prom_service_exists() Andi Kleen
2011-02-02 0:43 ` [PATCH] [40/139] sparc64: Delete prom_setcallback() Andi Kleen
2011-02-02 0:43 ` [PATCH] [41/139] sparc: Do not export prom_nb{get,put}char() Andi Kleen
2011-02-02 0:43 ` [PATCH] [42/139] sparc: Pass buffer pointer all the way down to prom_{get,put}char() Andi Kleen
2011-02-02 0:43 ` [PATCH] [43/139] sparc: Delete prom_*getchar() Andi Kleen
2011-02-02 0:43 ` [PATCH] [44/139] sparc: Write to prom console using indirect buffer Andi Kleen
2011-02-02 0:44 ` [PATCH] [45/139] tcp: Don't change unlocked socket state in tcp_v4_err() Andi Kleen
2011-02-02 0:44 ` [PATCH] [46/139] tcp: Increase TCP_MAXSEG socket option minimum Andi Kleen
2011-02-02 0:44 ` [PATCH] [47/139] tcp: Make TCP_MAXSEG minimum more correct Andi Kleen
2011-02-02 0:44 ` [PATCH] [48/139] tcp: Bug fix in initialization of receive window Andi Kleen
2011-02-02 0:44 ` [PATCH] [49/139] tcp: avoid a possible divide by zero Andi Kleen
2011-02-02 0:44 ` [PATCH] [50/139] tcp: protect sysctl_tcp_cookie_size reads Andi Kleen
2011-02-02 0:44 ` [PATCH] [51/139] 8139cp: fix checksum broken Andi Kleen
2011-02-02 0:44 ` [PATCH] [52/139] r8169: fix sleeping while holding spinlock Andi Kleen
2011-02-02 0:44 ` [PATCH] [53/139] af_unix: limit unix_tot_inflight Andi Kleen
2011-02-02 0:44 ` [PATCH] [54/139] scm: Capture the full credentials of the scm sender Andi Kleen
2011-02-02 0:44 ` [PATCH] [55/139] af_unix: Allow credentials to work across user and pid namespaces Andi Kleen
2011-02-02 0:44 ` [PATCH] [56/139] user_ns: Introduce user_nsmap_uid and user_ns_map_gid Andi Kleen
2011-02-02 0:44 ` [PATCH] [57/139] sock: Introduce cred_to_ucred Andi Kleen
2011-02-02 0:44 ` [PATCH] [58/139] net: Export cred_to_ucred to modules Andi Kleen
2011-02-02 0:44 ` [PATCH] [59/139] af_unix: limit recursion level Andi Kleen
2011-02-02 0:44 ` Andi Kleen [this message]
2011-02-02 0:44 ` [PATCH] [61/139] driver/net/benet: fix be_cmd_multicast_set() memcpy bug Andi Kleen
2011-02-02 0:44 ` [PATCH] [62/139] bonding: Fix slave selection bug Andi Kleen
2011-02-02 0:44 ` [PATCH] [63/139] bridge: fix IPv6 queries for bridge multicast snooping Andi Kleen
2011-02-02 0:44 ` [PATCH] [64/139] cls_cgroup: Fix crash on module unload Andi Kleen
2011-02-02 0:44 ` [PATCH] [65/139] filter: fix sk_filter rcu handling Andi Kleen
2011-02-02 0:44 ` [PATCH] [66/139] econet: Do the correct cleanup after an unprivileged SIOCSIFADDR Andi Kleen
2011-02-02 0:44 ` [PATCH] [67/139] econet: Fix crash in aun_incoming() Andi Kleen
2011-02-02 0:44 ` [PATCH] [68/139] ifb: goto resched directly if error happens and dp->tq isn't empty Andi Kleen
2011-02-02 0:44 ` [PATCH] [69/139] l2tp: Fix modalias of l2tp_ip Andi Kleen
2011-02-02 0:44 ` [PATCH] [70/139] x25: decrement netdev reference counts on unload Andi Kleen
2011-02-02 0:44 ` [PATCH] [71/139] tehuti: Firmware filename is tehuti/bdx.bin Andi Kleen
2011-02-02 0:44 ` [PATCH] [72/139] net/dst: dst_dev_event() called after other notifiers Andi Kleen
2011-02-02 0:44 ` [PATCH] [73/139] net: Fix header size check for GSO case in recvmsg (af_packet) Andi Kleen
2011-02-02 0:44 ` [PATCH] [74/139] net: packet: fix information leak to userland Andi Kleen
2011-02-02 0:44 ` [PATCH] [75/139] ACPICA: Fix Scope() op in module level code Andi Kleen
2011-02-02 0:44 ` [PATCH] [76/139] nouveau: Acknowledge HPD irq in handler, not bottom half Andi Kleen
2011-02-02 0:44 ` [PATCH] [77/139] printk: Fix wake_up_klogd() vs cpu hotplug Andi Kleen
2011-02-02 0:44 ` [PATCH] [78/139] xen: Provide a variant of __RING_SIZE() that is an integer constant expression Andi Kleen
2011-02-02 0:44 ` [PATCH] [79/139] sched: Cure more NO_HZ load average woes Andi Kleen
2011-02-02 0:44 ` [PATCH] [80/139] ACPI: EC: Add another dmi match entry for MSI hardware Andi Kleen
2011-02-02 0:44 ` [PATCH] [81/139] PM / Runtime: Fix pm_runtime_suspended() Andi Kleen
2011-02-02 0:44 ` [PATCH] [82/139] inotify: stop kernel memory leak on file creation failure Andi Kleen
2011-02-02 0:44 ` [PATCH] [83/139] orinoco: fix TKIP countermeasure behaviour Andi Kleen
2011-02-02 0:44 ` [PATCH] [84/139] orinoco: clear countermeasure setting on commit Andi Kleen
2011-02-02 0:44 ` [PATCH] [85/139] x86, amd: Fix panic on AMD CPU family 0x15 Andi Kleen
2011-02-02 0:44 ` [PATCH] [86/139] md: fix bug with re-adding of partially recovered device Andi Kleen
2011-02-02 0:44 ` [PATCH] [87/139] md: protect against NULL reference when waiting to start a raid10 Andi Kleen
2011-02-02 0:44 ` [PATCH] [88/139] tracing: Fix panic when lseek() called on "trace" opened for writing Andi Kleen
2011-02-02 0:44 ` [PATCH] [89/139] x86, gcc-4.6: Use gcc -m options when building vdso Andi Kleen
2011-02-02 0:44 ` [PATCH] [90/139] x86: Enable the intr-remap fault handling after local APIC setup Andi Kleen
2011-02-02 0:44 ` [PATCH] [91/139] x86, vt-d: Handle previous faults after enabling fault handling Andi Kleen
2011-02-02 0:44 ` [PATCH] [92/139] x86, vt-d: Fix the vt-d fault handling irq migration in the x2apic mode Andi Kleen
2011-02-02 0:44 ` [PATCH] [93/139] x86, vt-d: Quirk for masking vtd spec errors to platform error handling logic Andi Kleen
2011-02-02 0:44 ` [PATCH] [94/139] rt2x00: Fix max TX power settings Andi Kleen
2011-02-02 0:44 ` [PATCH] [95/139] ALSA: hda - Enable jack sense for Thinkpad Edge 11 Andi Kleen
2011-02-02 0:44 ` [PATCH] [96/139] Input: synaptics - fix handling of 2-button ClickPads Andi Kleen
2011-02-02 0:44 ` [PATCH] [97/139] install_special_mapping skips security_file_mmap check Andi Kleen
2011-02-02 0:44 ` [PATCH] [98/139] USB: misc: uss720.c: add another vendor/product ID Andi Kleen
2011-02-02 0:44 ` [PATCH] [99/139] USB: ftdi_sio: Add D.O.Tec PID Andi Kleen
2011-02-02 0:44 ` [PATCH] [100/139] USB: usb-storage: unusual_devs entry for the Samsung YP-CP3 Andi Kleen
2011-02-02 0:44 ` [PATCH] [101/139] Revert "USB: gadget: Allow function access to device ID data during bind()" Andi Kleen
2011-02-02 0:45 ` [PATCH] [102/139] p54usb: add 5 more USBIDs Andi Kleen
2011-02-02 0:45 ` [PATCH] [103/139] p54usb: New USB ID for Gemtek WUBI-100GW Andi Kleen
2011-02-02 0:45 ` [PATCH] [104/139] n_gsm: Fix message length handling when building header Andi Kleen
2011-02-02 0:45 ` [PATCH] [105/139] n_gsm: gsm_data_alloc buffer allocation could fail and it is not being checked Andi Kleen
2011-02-02 0:45 ` [PATCH] [106/139] xhci: Fix issue with port array setup and buggy hosts Andi Kleen
2011-02-02 0:45 ` [PATCH] [107/139] gpio: Fix null pointer dereference while accessing rdc321x platform_data Andi Kleen
2011-02-02 0:45 ` [PATCH] [108/139] cs5535-gpio: don't apply errata #36 to edge detect GPIOs Andi Kleen
2011-02-02 0:45 ` [PATCH] [109/139] cs5535-gpio: handle GPIO regs where higher (clear) bits are set Andi Kleen
2011-02-02 0:45 ` [PATCH] [110/139] mmc: at91_mci: fix multiblock SDIO transfers Andi Kleen
2011-02-02 0:45 ` [PATCH] [111/139] mmc: atmel-mci: " Andi Kleen
2011-02-02 0:45 ` [PATCH] [112/139] mmc: Fix re-probing with PM_POST_RESTORE notification Andi Kleen
2011-02-02 0:45 ` [PATCH] [113/139] fix freeing user_struct in user cache Andi Kleen
2011-02-02 0:45 ` [PATCH] [114/139] rtc: rs5c372: fix buffer size Andi Kleen
2011-02-02 0:45 ` [PATCH] [115/139] RAMOOPS: Don't overflow over non-allocated regions Andi Kleen
2011-02-02 0:45 ` [PATCH] [116/139] watchdog: Fix null pointer dereference while accessing rdc321x platform_data Andi Kleen
2011-02-02 0:45 ` [PATCH] [117/139] arch/x86/oprofile/op_model_amd.c: Perform initialisation on a single CPU Andi Kleen
2011-02-02 0:45 ` [PATCH] [118/139] mfd: Support additional parent IDs for wm831x Andi Kleen
2011-02-02 0:45 ` [PATCH] [119/139] mfd: Supply IRQ base for WM832x devices Andi Kleen
2011-02-02 0:45 ` [PATCH] [120/139] drm/radeon/kms/evergreen: reset the grbm blocks at resume and init Andi Kleen
2011-02-02 0:45 ` [PATCH] [121/139] drm/radeon/kms: fix evergreen asic reset Andi Kleen
2011-02-02 0:45 ` [PATCH] [122/139] drm/radeon/kms: reorder display resume to avoid problems Andi Kleen
2011-02-02 0:45 ` [PATCH] [123/139] drm/i915/dp: Fix I2C/EDID handling with active DisplayPort to DVI converter Andi Kleen
2011-02-02 0:45 ` [PATCH] [124/139] sound: Prevent buffer overflow in OSS load_mixer_volumes Andi Kleen
2011-02-02 0:45 ` [PATCH] [125/139] mv_xor: fix race in tasklet function Andi Kleen
2011-02-02 0:45 ` [PATCH] [126/139] ima: fix add LSM rule bug Andi Kleen
2011-02-02 0:45 ` [PATCH] [127/139] libata-sff: fix HSM_ST_ERR handling in __ata_sff_port_intr() Andi Kleen
2011-02-02 0:45 ` [PATCH] [128/139] mac80211: fix mesh forwarding Andi Kleen
2011-02-02 7:56 ` Johannes Berg
2011-02-03 0:06 ` Andi Kleen
2011-02-02 0:45 ` [PATCH] [129/139] ALSA: hda: Use LPIB quirk for Dell Inspiron m101z/1120 Andi Kleen
2011-02-02 0:45 ` [PATCH] [130/139] Sched: fix skip_clock_update optimization Andi Kleen
2011-02-02 0:45 ` [PATCH] [131/139] block: Deprecate QUEUE_FLAG_CLUSTER and use queue_limits instead Andi Kleen
2011-02-02 0:45 ` [PATCH] [132/139] x86/microcode: Fix double vfree() and remove redundant pointer checks before vfree() Andi Kleen
2011-02-02 0:45 ` [PATCH] [133/139] posix-cpu-timers: workaround to suppress the problems with mt exec Andi Kleen
2011-02-02 0:45 ` [PATCH] [134/139] gspca - sonixj: Set the flag for some devices Andi Kleen
2011-02-02 0:45 ` [PATCH] [135/139] gspca - sonixj: Add a flag in the driver_info table Andi Kleen
2011-02-02 0:45 ` [PATCH] [136/139] [PATCH 2.6.35] mac80211: fix hard lockup in Andi Kleen
2011-02-02 0:45 ` [PATCH] [137/139] Input: i8042 - introduce 'notimeout' blacklist for Dell Vostro V13 Andi Kleen
2011-02-02 0:45 ` [PATCH] [138/139] Revert drm/radeon/kms: properly compute group_size on 6xx/7xx Andi Kleen
2011-02-02 0:45 ` [PATCH] [139/139] Subject: Release 2.6.35.11 Andi Kleen
2011-02-04 17:38 ` [PATCH] [0/139] 2.6.35.11 longterm review Frederic Weisbecker
2011-02-05 23:55 ` Andi Kleen
2011-02-06 0:45 ` Frederic Weisbecker
2011-02-06 18:02 ` Chuck Ebbert
2011-02-06 20:39 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110202004416.9AA9B3E09BD@tassilo.jf.intel.com \
--to=andi@firstfloor.org \
--cc=ak@linux.intel.com \
--cc=davem@davemloft.net \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=segooon@gmail.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).