[Lucid CVE-2012-6544 1/2] Bluetooth: L2CAP - Fix info leak via getsockname()

Luis Henriques luis.henriques at canonical.com
Tue Mar 26 17:14:47 UTC 2013

From: Mathias Krause <minipli at googlemail.com>


BugLink: http://bugs.launchpad.net/bugs/1156751

The L2CAP code fails to initialize the l2_bdaddr_type member of struct
sockaddr_l2 and the padding byte added for alignment. It that for leaks
two bytes kernel stack via the getsockname() syscall. Add an explicit
memset(0) before filling the structure to avoid the info leak.

Signed-off-by: Mathias Krause <minipli at googlemail.com>
Cc: Marcel Holtmann <marcel at holtmann.org>
Cc: Gustavo Padovan <gustavo at padovan.org>
Cc: Johan Hedberg <johan.hedberg at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(back ported from commit 792039c73cf176c8e39a6e8beef2c94ff46522ed)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>

 net/bluetooth/l2cap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 71120ee..1c20bd9 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1184,6 +1184,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
 	BT_DBG("sock %p, sk %p", sock, sk);
+	memset(la, 0, sizeof(struct sockaddr_l2));
 	addr->sa_family = AF_BLUETOOTH;
 	*len = sizeof(struct sockaddr_l2);

More information about the kernel-team mailing list