32 lines
1.1 KiB
Diff
32 lines
1.1 KiB
Diff
From: Mathias Krause <minipli@googlemail.com>
|
|
Date: Wed, 15 Aug 2012 11:31:57 +0000
|
|
Subject: net: fix info leak in compat dev_ifconf()
|
|
|
|
[ Upstream commit 43da5f2e0d0c69ded3d51907d9552310a6b545e8 ]
|
|
|
|
The implementation of dev_ifconf() for the compat ioctl interface uses
|
|
an intermediate ifc structure allocated in userland for the duration of
|
|
the syscall. Though, it fails to initialize the padding bytes inserted
|
|
for alignment and that for leaks four bytes of kernel stack. Add an
|
|
explicit memset(0) before filling the structure to avoid the info leak.
|
|
|
|
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
net/socket.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/net/socket.c b/net/socket.c
|
|
index 273cbce..68879db 100644
|
|
--- a/net/socket.c
|
|
+++ b/net/socket.c
|
|
@@ -2645,6 +2645,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
|
|
if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
|
|
return -EFAULT;
|
|
|
|
+ memset(&ifc, 0, sizeof(ifc));
|
|
if (ifc32.ifcbuf == 0) {
|
|
ifc32.ifc_len = 0;
|
|
ifc.ifc_len = 0;
|