| From e61fc245c50aa75037e51f01a3ef27cb4f684644 Mon Sep 17 00:00:00 2001 |
| From: Mathias Krause <minipli@googlemail.com> |
| Date: Wed, 15 Aug 2012 11:31:57 +0000 |
| Subject: [PATCH] net: fix info leak in compat dev_ifconf() |
| |
| commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8 upstream. |
| |
| The implementation of dev_ifconf() for the compat ioctl interface uses |
| an intermediate ifc structure allocated in userland for the duration of |
| the syscall. Though, it fails to initialize the padding bytes inserted |
| for alignment and that for leaks four bytes of kernel stack. Add an |
| explicit memset(0) before filling the structure to avoid the info leak. |
| |
| Signed-off-by: Mathias Krause <minipli@googlemail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/socket.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| diff --git a/net/socket.c b/net/socket.c |
| index c802797e3a4a..b0d3b6a025ea 100644 |
| --- a/net/socket.c |
| +++ b/net/socket.c |
| @@ -2508,6 +2508,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32) |
| if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf))) |
| return -EFAULT; |
| |
| + memset(&ifc, 0, sizeof(ifc)); |
| if (ifc32.ifcbuf == 0) { |
| ifc32.ifc_len = 0; |
| ifc.ifc_len = 0; |
| -- |
| 1.8.5.2 |
| |