From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Norbert Slusarek <nslusarek@gmx.net>,
Oliver Hartkopp <socketcan@hartkopp.net>,
Marc Kleine-Budde <mkl@pengutronix.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 4.14 43/88] can: bcm: fix infoleak in struct bcm_msg_head
Date: Mon, 28 Jun 2021 10:35:43 -0400 [thread overview]
Message-ID: <20210628143628.33342-44-sashal@kernel.org> (raw)
In-Reply-To: <20210628143628.33342-1-sashal@kernel.org>
From: Norbert Slusarek <nslusarek@gmx.net>
commit 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc upstream.
On 64-bit systems, struct bcm_msg_head has an added padding of 4 bytes between
struct members count and ival1. Even though all struct members are initialized,
the 4-byte hole will contain data from the kernel stack. This patch zeroes out
struct bcm_msg_head before usage, preventing infoleaks to userspace.
Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
Link: https://lore.kernel.org/r/trinity-7c1b2e82-e34f-4885-8060-2cd7a13769ce-1623532166177@3c-app-gmx-bs52
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/bcm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 12d851c4604d..f691afcc5b8b 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -406,6 +406,7 @@ static void bcm_tx_timeout_tsklet(unsigned long data)
if (!op->count && (op->flags & TX_COUNTEVT)) {
/* create notification to user */
+ memset(&msg_head, 0, sizeof(msg_head));
msg_head.opcode = TX_EXPIRED;
msg_head.flags = op->flags;
msg_head.count = op->count;
@@ -453,6 +454,7 @@ static void bcm_rx_changed(struct bcm_op *op, struct canfd_frame *data)
/* this element is not throttled anymore */
data->flags &= (BCM_CAN_FLAGS_MASK|RX_RECV);
+ memset(&head, 0, sizeof(head));
head.opcode = RX_CHANGED;
head.flags = op->flags;
head.count = op->count;
@@ -567,6 +569,7 @@ static void bcm_rx_timeout_tsklet(unsigned long data)
struct bcm_msg_head msg_head;
/* create notification to user */
+ memset(&msg_head, 0, sizeof(msg_head));
msg_head.opcode = RX_TIMEOUT;
msg_head.flags = op->flags;
msg_head.count = op->count;
--
2.30.2
next prev parent reply other threads:[~2021-06-28 15:09 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 14:35 [PATCH 4.14 00/88] 4.14.238-rc1 review Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 01/88] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 02/88] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 03/88] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 04/88] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 05/88] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 06/88] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 07/88] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 08/88] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 09/88] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 10/88] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 11/88] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 12/88] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 13/88] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 14/88] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 15/88] net/x25: Return the correct errno code Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 16/88] net: " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 17/88] fib: " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 18/88] dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 19/88] dmaengine: QCOM_HIDMA_MGMT " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 20/88] dmaengine: stedma40: add missing iounmap() on error in d40_probe() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 21/88] mm/memory-failure: make sure wait for page writeback in memory_failure Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 22/88] batman-adv: Avoid WARN_ON timing related checks Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 23/88] net: ipv4: fix memory leak in netlbl_cipsov4_add_std Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 24/88] net: rds: fix memory leak in rds_recvmsg Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 25/88] udp: fix race between close() and udp_abort() Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 26/88] rtnetlink: Fix regression in bridge VLAN configuration Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 27/88] netfilter: synproxy: Fix out of bounds when parsing TCP options Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 28/88] alx: Fix an error handling path in 'alx_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 29/88] net: stmmac: dwmac1000: Fix extended MAC address registers definition Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 30/88] qlcnic: Fix an error handling path in 'qlcnic_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 31/88] netxen_nic: Fix an error handling path in 'netxen_nic_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 32/88] net: cdc_ncm: switch to eth%d interface naming Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 33/88] net: usb: fix possible use-after-free in smsc75xx_bind Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 34/88] net: ipv4: fix memory leak in ip_mc_add1_src Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 35/88] net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 36/88] be2net: Fix an error handling path in 'be_probe()' Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 37/88] net: hamradio: fix memory leak in mkiss_close Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 38/88] net: cdc_eem: fix tx fixup skb leak Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 39/88] icmp: don't send out ICMP messages with a source address of 0.0.0.0 Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 40/88] net: ethernet: fix potential use-after-free in ec_bhf_remove Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 41/88] radeon: use memcpy_to/fromio for UVD fw upload Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 42/88] hwmon: (scpi-hwmon) shows the negative temperature properly Sasha Levin
2021-06-28 14:35 ` Sasha Levin [this message]
2021-06-28 14:35 ` [PATCH 4.14 44/88] can: mcba_usb: fix memory leak in mcba_usb Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 45/88] usb: core: hub: Disable autosuspend for Cypress CY7C65632 Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 46/88] tracing: Do not stop recording cmdlines when tracing is off Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 47/88] tracing: Do not stop recording comms if the trace file is being read Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 48/88] tracing: Do no increment trace_clock_global() by one Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 49/88] PCI: Mark TI C667X to avoid bus reset Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 50/88] PCI: Mark some NVIDIA GPUs " Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 51/88] PCI: Add ACS quirk for Broadcom BCM57414 NIC Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 52/88] PCI: Work around Huawei Intelligent NIC VF FLR erratum Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 53/88] ARCv2: save ABI registers across signal handling Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 54/88] dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 55/88] net: bridge: fix vlan tunnel dst null pointer dereference Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 56/88] net: bridge: fix vlan tunnel dst refcnt when egressing Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 57/88] mm/slub.c: include swab.h Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 58/88] net: fec_ptp: add clock rate zero check Sasha Levin
2021-06-28 14:35 ` [PATCH 4.14 59/88] can: bcm/raw/isotp: use per module netdevice notifier Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 60/88] inet: use bigger hash table for IP ID generation Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 61/88] usb: dwc3: core: fix kernel panic when do reboot Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 62/88] kernfs: deal with kernfs_fill_super() failures Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 63/88] unfuck sysfs_mount() Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 64/88] x86/fpu: Reset state for all signal restore failures Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 65/88] drm/nouveau: wait for moving fence after pinning v2 Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 66/88] drm/radeon: wait for moving fence after pinning Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 67/88] ARM: 9081/1: fix gcc-10 thumb2-kernel regression Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 68/88] Makefile: Move -Wno-unused-but-set-variable out of GCC only block Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 69/88] MIPS: generic: Update node names to avoid unit addresses Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 70/88] arm64: perf: Disable PMU while processing counter overflows Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 71/88] Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 72/88] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 73/88] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 74/88] mac80211: drop multicast fragments Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 75/88] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 76/88] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 77/88] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 78/88] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 79/88] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 80/88] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 81/88] sh_eth: " Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 82/88] r8169: " Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 83/88] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 84/88] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 85/88] pinctrl: stm32: fix the reported number of GPIO lines per bank Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 86/88] nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 87/88] i2c: robotfuzz-osif: fix control-request directions Sasha Levin
2021-06-28 14:36 ` [PATCH 4.14 88/88] Linux 4.14.238-rc1 Sasha Levin
2021-06-29 11:42 ` [PATCH 4.14 00/88] 4.14.238-rc1 review Naresh Kamboju
2021-06-29 18:19 ` Guenter Roeck
2021-06-30 6:19 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210628143628.33342-44-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=nslusarek@gmx.net \
--cc=socketcan@hartkopp.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).