[ 3.5.y.z extended stable ] Patch "NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Wed May 1 23:34:17 UTC 2013 

This is a note to let you know that I have just added a patch titled

    NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 636b5080d1e78130cd1787cc3e2e0908239f6636 Mon Sep 17 00:00:00 2001
From: Mathias Krause <minipli at googlemail.com>
Date: Sun, 7 Apr 2013 01:51:58 +0000
Subject: [PATCH] NFC: llcp: fix info leaks via msg_name in llcp_sock_recvmsg()

commit d26d6504f23e803824e8ebd14e52d4fc0a0b09cb upstream.

The code in llcp_sock_recvmsg() does not initialize all the members of
struct sockaddr_nfc_llcp when filling the sockaddr info. Nor does it
initialize the padding bytes of the structure inserted by the compiler
for alignment.

Also, if the socket is in state LLCP_CLOSED or is shutting down during
receive the msg_namelen member is not updated to 0 while otherwise
returning with 0, i.e. "success". The msg_namelen update is also
missing for stream and seqpacket sockets which don't fill the sockaddr
info.

Both issues lead to the fact that the code will leak uninitialized
kernel stack bytes in net/socket.c.

Fix the first issue by initializing the memory used for sockaddr info
with memset(0). Fix the second one by setting msg_namelen to 0 early.
It will be updated later if we're going to fill the msg_name member.

Cc: Lauro Ramos Venancio <lauro.venancio at openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.almeida at openbossa.org>
Cc: Samuel Ortiz <sameo at linux.intel.com>
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
[ luis: 3.5 is not affected by first issue. ]
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/nfc/llcp/sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index e06d458..80200ac 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -570,6 +570,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,

 	pr_debug("%p %zu\n", sk, len);

+	msg->msg_namelen = 0;
+
 	lock_sock(sk);

 	if (sk->sk_state == LLCP_CLOSED &&
--
1.8.1.2

More information about the kernel-team mailing list