[CVE-2016-4485][Precise, Trusty, LTS-Utopic, Vivid, Wily, Xenial] net: fix infoleak in llc

Luis Henriques luis.henriques at canonical.com
Tue May 10 14:12:22 UTC 2016


From: Kangjie Lu <kangjielu at gmail.com>

The stack object “info” has a total size of 12 bytes. Its last byte
is padding which is not initialized and leaked via “put_cmsg”.

Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit b8670c09f37bdf2847cc44f36511a53afc6161fd)
CVE-2016-4485
BugLink: https://bugs.launchpad.net/bugs/1578496
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/llc/af_llc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index f432d7b6d93a..7752b2ffbc43 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -627,6 +627,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
 	if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
 		struct llc_pktinfo info;
 
+		memset(&info, 0, sizeof(info));
 		info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
 		llc_pdu_decode_dsap(skb, &info.lpi_sap);
 		llc_pdu_decode_da(skb, info.lpi_mac);




More information about the kernel-team mailing list