Information leak in packet code: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3876
From: Vasiliy Kulikov <[email protected]> Date: Wed, 10 Nov 2010 12:09:10 -0800 Subject: [PATCH] net: packet: fix information leak to userland
commit 67286640f638f5ad41a946b9a3dc75327950248f upstream. packet_getname_spkt() doesn't initialize all members of sa_data field of sockaddr struct if strlen(dev->name) < 13. This structure is then copied to userland. It leads to leaking of contents of kernel stack memory. We have to fully fill sa_data with strncpy() instead of strlcpy(). The same with packet_getname(): it doesn't initialize sll_pkttype field of sockaddr_ll. Set it to zero. Signed-off-by: Vasiliy Kulikov <[email protected]> Signed-off-by: David S. Miller <[email protected]> [jmm: Backported to 2.6.32] --- --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1526,7 +1526,7 @@ uaddr->sa_family = AF_PACKET; dev = dev_get_by_index(sock_net(sk), pkt_sk(sk)->ifindex); if (dev) { - strlcpy(uaddr->sa_data, dev->name, 15); + strncpy(uaddr->sa_data, dev->name, 14); dev_put(dev); } else memset(uaddr->sa_data, 0, 14); @@ -1549,6 +1549,7 @@ sll->sll_family = AF_PACKET; sll->sll_ifindex = po->ifindex; sll->sll_protocol = po->num; + sll->sll_pkttype = 0; dev = dev_get_by_index(sock_net(sk), po->ifindex); if (dev) { sll->sll_hatype = dev->type;
_______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
