net: fix infoleak in llc (CVE-2016-4485)

debian/changelog

@@ -103,6 +103,7 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * KEYS: Fix ASN.1 indefinite length object parsing (CVE-2016-0758)
+  * net: fix infoleak in llc (CVE-2016-4485)
 
   [ Ben Hutchings ]
   * gencontrol.py: Fix implementation of [packages]tools config option,

debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch

@@ -0,0 +1,32 @@
+From b8670c09f37bdf2847cc44f36511a53afc6161fd Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:35:05 -0400
+Subject: [PATCH] net: fix infoleak in llc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “info” has a total size of 12 bytes. Its last byte
+is padding which is not initialized and leaked via “put_cmsg”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/llc/af_llc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index b3c52e3..8ae3ed9 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
+ 	if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
+ 		struct llc_pktinfo info;
+ 
++		memset(&info, 0, sizeof(info));
+ 		info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
+ 		llc_pdu_decode_dsap(skb, &info.lpi_sap);
+ 		llc_pdu_decode_da(skb, info.lpi_mac);
+-- 
+2.8.1
+

debian/patches/series

@@ -136,6 +136,7 @@ bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
 bugfix/all/bpf-fix-refcnt-overflow.patch
 bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
 bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
+bugfix/all/net-fix-infoleak-in-llc.patch
 
 # ABI maintenance
 debian/ib-fix-abi-change-in-4.5.3.patch