| From 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e Mon Sep 17 00:00:00 2001 |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| Date: Thu, 17 Mar 2011 01:40:10 +0000 |
| Subject: econet: 4 byte infoleak to the network |
| |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| |
| commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream. |
| |
| struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on |
| x86_64. These bytes are not initialized in the variable 'ah' before |
| sending 'ah' to the network. This leads to 4 bytes kernel stack |
| infoleak. |
| |
| This bug was introduced before the git epoch. |
| |
| Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> |
| Acked-by: Phil Blundell <philb@gnu.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/econet/af_econet.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/econet/af_econet.c |
| +++ b/net/econet/af_econet.c |
| @@ -434,10 +434,10 @@ static int econet_sendmsg(struct kiocb * |
| udpdest.sin_addr.s_addr = htonl(network | addr.station); |
| } |
| |
| + memset(&ah, 0, sizeof(ah)); |
| ah.port = port; |
| ah.cb = cb & 0x7f; |
| ah.code = 2; /* magic */ |
| - ah.pad = 0; |
| |
| /* tack our header on the front of the iovec */ |
| size = sizeof(struct aunhdr); |
