ACK: [CVE-2016-4580][precise, trusty, lts-utopic, vivid, wily] net: fix a kernel infoleak in x25 module
Christopher Arges
chris.j.arges at canonical.com
Thu May 26 12:54:50 UTC 2016
On Wed, May 25, 2016 at 04:19:23PM +0100, Luis Henriques wrote:
> From: Kangjie Lu <kangjielu at gmail.com>
>
> Stack object "dte_facilities" is allocated in x25_rx_call_request(),
> which is supposed to be initialized in x25_negotiate_facilities.
> However, 5 fields (8 bytes in total) are not initialized. This
> object is then copied to userland via copy_to_user, thus infoleak
> occurs.
>
> Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 79e48650320e6fba48369fccf13fd045315b19b8)
> CVE-2016-4580
> BugLink: https://bugs.launchpad.net/bugs/1585366
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> net/x25/x25_facilities.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
> index 36384a1fa9f2..887749c8054d 100644
> --- a/net/x25/x25_facilities.c
> +++ b/net/x25/x25_facilities.c
> @@ -271,6 +271,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk,
>
> memset(&theirs, 0, sizeof(theirs));
> memcpy(new, ours, sizeof(*new));
> + memset(dte, 0, sizeof(*dte));
>
> len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask);
> if (len < 0)
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list