| From 2eb011451c36e04828adfcfae3dd7f6aa122702d Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Wed, 19 Sep 2012 11:33:41 +0000 |
| Subject: [PATCH] xfrm_user: fix info leak in copy_to_user_tmpl() |
| |
| commit 1f86840f897717f86d523a13e99a447e6a5d2fa5 upstream. |
| |
| The memory used for the template copy is a local stack variable. As |
| struct xfrm_user_tmpl contains multiple holes added by the compiler for |
| alignment, not initializing the memory will lead to leaking stack bytes |
| to userland. Add an explicit memset(0) to avoid the info leak. |
| |
| Initial version of the patch by Brad Spengler. |
| |
| Cc: Brad Spengler <spender@grsecurity.net> |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Acked-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/xfrm/xfrm_user.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c |
| index 2f72480e6b8d..44d18db58cbb 100644 |
| --- a/net/xfrm/xfrm_user.c |
| +++ b/net/xfrm/xfrm_user.c |
| @@ -1304,6 +1304,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) |
| struct xfrm_user_tmpl *up = &vec[i]; |
| struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; |
| |
| + memset(up, 0, sizeof(*up)); |
| memcpy(&up->id, &kp->id, sizeof(up->id)); |
| up->family = kp->encap_family; |
| memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); |
| -- |
| 1.8.5.2 |
| |