| From d69e52e3a58dc5f29bcbe7a4e9d040044ea7b53b Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Wed, 19 Sep 2012 11:33:41 +0000 |
| Subject: xfrm_user: fix info leak in copy_to_user_tmpl() |
| |
| |
| From: Mathias Krause <minipli@googlemail.com> |
| |
| [ Upstream commit 1f86840f897717f86d523a13e99a447e6a5d2fa5 ] |
| |
| The memory used for the template copy is a local stack variable. As |
| struct xfrm_user_tmpl contains multiple holes added by the compiler for |
| alignment, not initializing the memory will lead to leaking stack bytes |
| to userland. Add an explicit memset(0) to avoid the info leak. |
| |
| Initial version of the patch by Brad Spengler. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Cc: Brad Spengler <spender@grsecurity.net> |
| Acked-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/xfrm/xfrm_user.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/xfrm/xfrm_user.c |
| +++ b/net/xfrm/xfrm_user.c |
| @@ -1405,6 +1405,7 @@ static int copy_to_user_tmpl(struct xfrm |
| struct xfrm_user_tmpl *up = &vec[i]; |
| struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; |
| |
| + memset(up, 0, sizeof(*up)); |
| memcpy(&up->id, &kp->id, sizeof(up->id)); |
| up->family = kp->encap_family; |
| memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr)); |
