[Lucid CVE 1/3] xfrm_user: fix info leak in copy_to_user_tmpl()

Luis Henriques luis.henriques at canonical.com
Fri Mar 22 11:12:43 UTC 2013

From: Mathias Krause <minipli at googlemail.com>


BugLink: http://bugs.launchpad.net/bugs/1156716

The memory used for the template copy is a local stack variable. As
struct xfrm_user_tmpl contains multiple holes added by the compiler for
alignment, not initializing the memory will lead to leaking stack bytes
to userland. Add an explicit memset(0) to avoid the info leak.

Initial version of the patch by Brad Spengler.

Cc: Brad Spengler <spender at grsecurity.net>
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit 1f86840f897717f86d523a13e99a447e6a5d2fa5)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 net/xfrm/xfrm_user.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b95a2d6..ab5f23c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1176,6 +1176,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
 		struct xfrm_user_tmpl *up = &vec[i];
 		struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
+		memset(up, 0, sizeof(*up));
 		memcpy(&up->id, &kp->id, sizeof(up->id));
 		up->family = kp->encap_family;
 		memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));

More information about the kernel-team mailing list