[Lucid CVE-2012-6545 2/2] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)

Luis Henriques luis.henriques at canonical.com
Tue Mar 26 17:17:02 UTC 2013

From: Mathias Krause <minipli at googlemail.com>


BugLink: http://bugs.launchpad.net/bugs/1156757

The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.

Allocate the memory using kzalloc() to fix this issue.

Signed-off-by: Mathias Krause <minipli at googlemail.com>
Cc: Marcel Holtmann <marcel at holtmann.org>
Cc: Gustavo Padovan <gustavo at padovan.org>
Cc: Johan Hedberg <johan.hedberg at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(back ported from commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>

 net/bluetooth/rfcomm/tty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 5f6a305..faea3ef 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -472,7 +472,7 @@ static int rfcomm_get_dev_list(void __user *arg)
 	size = sizeof(*dl) + dev_num * sizeof(*di);
-	if (!(dl = kmalloc(size, GFP_KERNEL)))
+	if (!(dl = kzalloc(size, GFP_KERNEL)))
 		return -ENOMEM;
 	di = dl->dev_info;

More information about the kernel-team mailing list