[Lucid CVE-2012-6545 2/2] Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
Luis Henriques
luis.henriques at canonical.com
Tue Mar 26 17:17:02 UTC 2013
From: Mathias Krause <minipli at googlemail.com>
CVE-2012-6545
BugLink: http://bugs.launchpad.net/bugs/1156757
The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.
Allocate the memory using kzalloc() to fix this issue.
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Cc: Marcel Holtmann <marcel at holtmann.org>
Cc: Gustavo Padovan <gustavo at padovan.org>
Cc: Johan Hedberg <johan.hedberg at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(back ported from commit f9432c5ec8b1e9a09b9b0e5569e3c73db8de432a)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
Conflicts:
net/bluetooth/rfcomm/tty.c
---
net/bluetooth/rfcomm/tty.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 5f6a305..faea3ef 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -472,7 +472,7 @@ static int rfcomm_get_dev_list(void __user *arg)
size = sizeof(*dl) + dev_num * sizeof(*di);
- if (!(dl = kmalloc(size, GFP_KERNEL)))
+ if (!(dl = kzalloc(size, GFP_KERNEL)))
return -ENOMEM;
di = dl->dev_info;
--
1.8.1.2
More information about the kernel-team
mailing list