This is a note to let you know that I've just added the patch titled
Bluetooth: sco: fix information leak to userspace
to the 2.6.38-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-sco-fix-information-leak-to-userspace.patch
and it can be found in the queue-2.6.38 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From c4c896e1471aec3b004a693c689f60be3b17ac86 Mon Sep 17 00:00:00 2001
From: Vasiliy Kulikov <[email protected]>
Date: Mon, 14 Feb 2011 13:54:26 +0300
Subject: Bluetooth: sco: fix information leak to userspace
From: Vasiliy Kulikov <[email protected]>
commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.
struct sco_conninfo has one padding byte in the end. Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Gustavo F. Padovan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/sco.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -703,6 +703,7 @@ static int sco_sock_getsockopt_old(struc
break;
}
+ memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.38/bluetooth-bnep-fix-buffer-overflow.patch
queue-2.6.38/bridge-netfilter-fix-information-leak.patch
queue-2.6.38/bluetooth-sco-fix-information-leak-to-userspace.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
