[cve-2010-3876] net: packet: fix information leak to userland
Stefan Bader
stefan.bader at canonical.com
Tue Feb 1 14:43:27 UTC 2011
On 02/01/2011 03:26 PM, Andy Whitcroft wrote:
> The ax25_getname function in net/ax25/af_ax25.c in the Linux kernel
> before 2.6.37-rc2 does not initialize a certain structure, which allows
> local users to obtain potentially sensitive information from kernel stack
> memory by reading a copy of this structure.
>
> Following this email are CVE patches for Dapper, Hardy, Karmic, Lucid,
> and Maverick. These are all trivial backports from the upstream commit
> below:
>
> commit fe10ae53384e48c51996941b7720ee16995cbcb7
> Author: Vasiliy Kulikov <segooon at gmail.com>
> Date: Wed Nov 10 10:14:33 2010 -0800
>
> net: ax25: fix information leak to userland
>
> Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
> field of fsa struct, also the struct has padding bytes between
> sax25_call and sax25_ndigis fields. This structure is then copied to
> userland. It leads to leaking of contents of kernel stack memory.
>
> Signed-off-by: Vasiliy Kulikov <segooon at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
>
> -apw
>
So strlcpy would always add a terminating zero while strncpy might not _if_ the
string is 14chars long. Hope that won't happen then...
ACK for all of them.
More information about the kernel-team
mailing list