From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756637AbcEQCDE (ORCPT ); Mon, 16 May 2016 22:03:04 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33649 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754501AbcEQBOb (ORCPT ); Mon, 16 May 2016 21:14:31 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kangjie Lu , "David S. Miller" Subject: [PATCH 3.14 16/17] net: fix a kernel infoleak in x25 module Date: Mon, 16 May 2016 18:14:17 -0700 Message-Id: <20160517011347.572230108@linuxfoundation.org> X-Mailer: git-send-email 2.8.2 In-Reply-To: <20160517011346.950684325@linuxfoundation.org> References: <20160517011346.950684325@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kangjie Lu [ Upstream commit 79e48650320e6fba48369fccf13fd045315b19b8 ] Stack object "dte_facilities" is allocated in x25_rx_call_request(), which is supposed to be initialized in x25_negotiate_facilities. However, 5 fields (8 bytes in total) are not initialized. This object is then copied to userland via copy_to_user, thus infoleak occurs. Signed-off-by: Kangjie Lu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/x25/x25_facilities.c | 1 + 1 file changed, 1 insertion(+) --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c @@ -277,6 +277,7 @@ int x25_negotiate_facilities(struct sk_b memset(&theirs, 0, sizeof(theirs)); memcpy(new, ours, sizeof(*new)); + memset(dte, 0, sizeof(*dte)); len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); if (len < 0)