From: Mathias Krause <minipli@googlemail.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Mathias Krause <minipli@googlemail.com>
Subject: [PATCH 14/14] net: fix info leak in compat dev_ifconf()
Date: Wed, 15 Aug 2012 23:31:57 +0200 [thread overview]
Message-ID: <1345066317-22512-15-git-send-email-minipli@googlemail.com> (raw)
In-Reply-To: <1345066317-22512-1-git-send-email-minipli@googlemail.com>
The implementation of dev_ifconf() for the compat ioctl interface uses
an intermediate ifc structure allocated in userland for the duration of
the syscall. Though, it fails to initialize the padding bytes inserted
for alignment and that for leaks four bytes of kernel stack. Add an
explicit memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/socket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/socket.c b/net/socket.c
index dfe5b66..a5471f8 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2657,6 +2657,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
return -EFAULT;
+ memset(&ifc, 0, sizeof(ifc));
if (ifc32.ifcbuf == 0) {
ifc32.ifc_len = 0;
ifc.ifc_len = 0;
--
1.7.10.4
next prev parent reply other threads:[~2012-08-15 21:33 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-15 21:31 [PATCH 00/14] net: info leaks and other bugs Mathias Krause
2012-08-15 21:31 ` [PATCH 01/14] atm: fix info leak in getsockopt(SO_ATMPVC) Mathias Krause
2012-08-15 21:31 ` [PATCH 02/14] atm: fix info leak via getsockname() Mathias Krause
2012-08-15 21:31 ` [PATCH 03/14] Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER) Mathias Krause
2012-08-15 21:31 ` [PATCH 04/14] Bluetooth: HCI - Fix info leak via getsockname() Mathias Krause
2012-08-15 21:31 ` [PATCH 05/14] Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY) Mathias Krause
2012-08-15 21:31 ` [PATCH 06/14] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST) Mathias Krause
2012-08-15 21:31 ` [PATCH 07/14] Bluetooth: RFCOMM - Fix info leak via getsockname() Mathias Krause
2012-08-15 21:31 ` [PATCH 08/14] Bluetooth: L2CAP " Mathias Krause
2012-08-15 21:31 ` [PATCH 09/14] l2tp: fix " Mathias Krause
2012-08-15 21:31 ` [PATCH 10/14] llc: " Mathias Krause
2012-08-15 21:31 ` [PATCH 11/14] dccp: check ccid before dereferencing Mathias Krause
2012-08-15 21:31 ` [PATCH 12/14] dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO) Mathias Krause
2012-08-15 21:31 ` [PATCH 13/14] ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT) Mathias Krause
2012-08-15 21:31 ` Mathias Krause [this message]
2012-08-16 4:40 ` [PATCH 00/14] net: info leaks and other bugs David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1345066317-22512-15-git-send-email-minipli@googlemail.com \
--to=minipli@googlemail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).