[PATCH 1/1] net: ax25: fix information leak to userland

Tim Gardner tim.gardner at canonical.com
Mon Jan 31 16:25:26 UTC 2011


On 01/31/2011 09:20 AM, Andy Whitcroft wrote:
> From: Vasiliy Kulikov<segooon at gmail.com>
>
> Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
> field of fsa struct, also the struct has padding bytes between
> sax25_call and sax25_ndigis fields.  This structure is then copied to
> userland.  It leads to leaking of contents of kernel stack memory.
>
> Signed-off-by: Vasiliy Kulikov<segooon at gmail.com>
> Signed-off-by: David S. Miller<davem at davemloft.net>
>
> CVE-2010-3875
> BugLink: http://bugs.launchpad.net/bugs/710714
> (cherry picked from commit fe10ae53384e48c51996941b7720ee16995cbcb7 upstream)
> Signed-off-by: Andy Whitcroft<apw at canonical.com>
> ---
>   net/ax25/af_ax25.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
> index cfdfd7e..6e2371a 100644
> --- a/net/ax25/af_ax25.c
> +++ b/net/ax25/af_ax25.c
> @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
>   	ax25_cb *ax25;
>   	int err = 0;
>
> +	memset(fsa, 0, sizeof(fsa));
>   	lock_sock(sk);
>   	ax25 = ax25_sk(sk);
>
> @@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
>
>   		fsa->fsa_ax25.sax25_family = AF_AX25;
>   		fsa->fsa_ax25.sax25_call   = ax25->dest_addr;
> -		fsa->fsa_ax25.sax25_ndigis = 0;
>
>   		if (ax25->digipeat != NULL) {
>   			ndigi = ax25->digipeat->ndigi;

shouldn't that be 'memset(fsa, 0, sizeof(*fsa));' ?

-- 
Tim Gardner tim.gardner at canonical.com




More information about the kernel-team mailing list