[ACKED] [PATCH 4/6] econet: 4 byte infoleak to the network CVE-2011-1173

Andy Whitcroft apw at canonical.com
Mon Jul 4 17:02:22 UTC 2011


On Mon, Jul 04, 2011 at 05:22:44PM +0100, paolo.pisati at canonical.com wrote:
> From: Vasiliy Kulikov <segoon at openwall.com>
> 
> BugLink: http://bugs.launchpad.net/bugs/801484
> 
> commit upstream 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e
> 
> struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
> x86_64.  These bytes are not initialized in the variable 'ah' before
> sending 'ah' to the network.  This leads to 4 bytes kernel stack
> infoleak.
> 
> This bug was introduced before the git epoch.
> 
> CVE-2011-1173
> 
> Signed-off-by: Vasiliy Kulikov <segoon at openwall.com>
> Acked-by: Phil Blundell <philb at gnu.org>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
> ---
>  net/econet/af_econet.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
> index 59092f4..bda42d3 100644
> --- a/net/econet/af_econet.c
> +++ b/net/econet/af_econet.c
> @@ -434,10 +434,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
>  		udpdest.sin_addr.s_addr = htonl(network | addr.station);
>  	}
>  
> +	memset(&ah, 0, sizeof(ah));
>  	ah.port = port;
>  	ah.cb = cb & 0x7f;
>  	ah.code = 2;		/* magic */
> -	ah.pad = 0;
>  
>  	/* tack our header on the front of the iovec */
>  	size = sizeof(struct aunhdr);

Looks identicle to the upstream commit, appears sane.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw




More information about the kernel-team mailing list