ACK: [Lucid CVE-2012-6539] net: fix info leak in compat dev_ifconf()
Colin Ian King
colin.king at canonical.com
Fri Mar 22 13:58:40 UTC 2013
On 22/03/13 13:48, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
>
> CVE-2012-6539
>
> BugLink: http://bugs.launchpad.net/bugs/1156728
>
> The implementation of dev_ifconf() for the compat ioctl interface uses
> an intermediate ifc structure allocated in userland for the duration of
> the syscall. Though, it fails to initialize the padding bytes inserted
> for alignment and that for leaks four bytes of kernel stack. Add an
> explicit memset(0) before filling the structure to avoid the info leak.
>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8)
>
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
>
> Conflicts:
> net/socket.c
> ---
> fs/compat_ioctl.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
> index d84e705..c30134b 100644
> --- a/fs/compat_ioctl.c
> +++ b/fs/compat_ioctl.c
> @@ -350,6 +350,7 @@ static int dev_ifconf(unsigned int fd, unsigned int cmd, unsigned long arg)
> if (copy_from_user(&ifc32, compat_ptr(arg), sizeof(struct ifconf32)))
> return -EFAULT;
>
> + memset(&ifc, 0, sizeof(ifc));
> if (ifc32.ifcbuf == 0) {
> ifc32.ifc_len = 0;
> ifc.ifc_len = 0;
>
Clean upstream cherry pick.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list