[Lucid CVE-2012-6540] ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)
Luis Henriques
luis.henriques at canonical.com
Fri Mar 22 15:05:30 UTC 2013
From: Mathias Krause <minipli at googlemail.com>
CVE-2012-6540
BugLink: http://bugs.launchpad.net/bugs/1156732
If at least one of CONFIG_IP_VS_PROTO_TCP or CONFIG_IP_VS_PROTO_UDP is
not set, __ip_vs_get_timeouts() does not fully initialize the structure
that gets copied to userland and that for leaks up to 12 bytes of kernel
stack. Add an explicit memset(0) before passing the structure to
__ip_vs_get_timeouts() to avoid the info leak.
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Cc: Wensong Zhang <wensong at linux-vs.org>
Cc: Simon Horman <horms at verge.net.au>
Cc: Julian Anastasov <ja at ssi.bg>
Signed-off-by: David S. Miller <davem at davemloft.net>
(back ported from commit 2d8a041b7bfe1097af21441cb77d6af95f4f4680)
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
Conflicts:
net/netfilter/ipvs/ip_vs_ctl.c
---
net/netfilter/ipvs/ip_vs_ctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 02b2610..9bcd972 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2455,6 +2455,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
{
struct ip_vs_timeout_user t;
+ memset(&t, 0, sizeof(t));
__ip_vs_get_timeouts(&t);
if (copy_to_user(user, &t, sizeof(t)) != 0)
ret = -EFAULT;
--
1.8.1.2
More information about the kernel-team
mailing list